this is one of my favorite parts of the @vlt.sh CLI. it uses @socket.dev security data to prevent known malware from running lifecycle scripts like postinstall! and it’s powered by queries under the hood so you could make it as granular as you wanted (but we ship with safe defaults)

We’re seeing cases where teams can’t explain how they were compromised by the Axios incident because it doesn’t show up in their project's lockfile. The blast radius here is much larger than it looks. Deep dive into the messy reality of modern dependency resolution → socket.dev/blog/hidden-...

I heard you like fast package managers? What about fast registries? It's been a roller coaster of a month but our team has made some serious headway w/ even more improvements in the works. Gotta keep the registry fast so y'all can nab the next Claude Code leak.

tldr; if you used @vlt.sh as your package manager, then you were protected the minute @socket.dev flagged the malicious packages in the `axios` attack yesterday. The best time to switch your package manager was 48hrs ago, the next best time is right now. More below: blog.vlt.sh/blog/vlt-build

I'm still waiting on the "Vestro" announcement from @vercel.com today - where it's a slop fork of Astro...

🙌

Fixed up some perf issues and benchmark bugs in the new-streams reference impl ... some highlights running comparisons on @nodejs.org @deno.land and @bun.sh ... note each column is just looking at the one runtime, not comparing runtimes against each other ...

When does slop become soup? Like... delicious soup

🚀 Coming in the next version of tsdown: built-in Node.js SEA (Single Executable Applications) support! Now you can bundle your JS apps into a standalone executable with a single command: tsdown --exe

i built an entire x86 CPU emulator in CSS (no javascript) you can write programs in C, compile them to x86 machine code with GCC, and run them inside CSS lyra.horse/x86css/

Agent skills are the new postinstall scripts... #changemymind

What do people use to stay up to date with/monitor socials these days? My feed is 🔥 with AI tools & I feel like my meat brain & thumbs can't process the thousands of experiments/insights. Do I just spin up OpenClaw & make it monitor socials w/ daily recaps?

Doing some analytics with #NPM and this is the distribution of how many downloads NPM packages typically get.

The @vlt.sh benchmark suite has been updated to include the yarn v6 canaries (still a WIP & improving all the time): benchmarks.vlt.sh

I was recently on the Changelog podcast to talk about npm's security issues, what can be done, and why the npm registry is unique amongst programming language source code registries.

nvm.sh users: please upgrade to github.com/nvm-sh/nvm/r... if you're using `wget` on your system, to fix a medium vulnerability (github.com/nvm-sh/nvm/s...).

Annnnnd it's gone. "Fed Rescinds Software Supply Chain Mandates Making SBOMs Optional". A lot of SecOps folks made a killing off this box checking. Hopefully they banked the money somewhere other than South Park: socket.dev/blog/federal...

Darcy Clarke and Ruy Adorno are longtime npm CLI maintainers and Node.js contributors. They join @joshuakgoldberg.com to discuss vlt, a new package manager and registry designed to improve performance, security, and developer experience. @darcyclarke.me @ruyadorno.com bit.ly/3YNGniF

💙 20yrs since $(this) thing made you fall in love w/ the DOM & CSS selectors. Never forget the amazing work @johnresig.com & team did to make this happen & then ensure the awesomeness got standardized in Web APIs like querySelector() & querySelectorAll(). John, thanks for all the $ 😉

@lukekarrys.com joins HalfStack Phoenix. A practical story about building for kids, using NFC cards to control music, and turning everyday interactions into something playful and intuitive. 📅 𝐉𝐚𝐧𝐮𝐚𝐫𝐲 𝟑𝟎𝐭𝐡, 𝟐𝟎𝟐𝟔 — 𝐌𝐚𝐣𝐞𝐬𝐭𝐢𝐜 𝐓𝐡𝐞𝐚𝐭𝐞𝐫, 𝐆𝐢𝐥𝐛𝐞𝐫𝐭 🎟️ halfstackconf.com/phoenix #HalfStackphoenix #TechEvents

This just in: JavaScript uses memory.

I made something new: an eslint plugin to validate your npm ecosystem lockfiles! It supports npm, pnpm, yarn, bun, and vlt, and it's already helped find a supply chain security attack vector inside a fortune 500 tech company. www.npmjs.com/package/esli...

GitHub's product leadership sure knows how to piss off developers these days

To recap, NPM allows 2FA TOTP token reuse within the token’s validity window. I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.” So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/

Looking for a maintainer. Good opportunity if you want to manage a library with a lot of users cc @reinhold.is I know storybook has its own version of this. Maybe they could be merged and managed in tandem?

Who's going to be in Las Vegas this week for AWS re:Invent? Let's chat packages & supply chain security if you're here!

The top licenses published on #npm . Number #2 is interesting because it's not really a well-known one, but it's the default choice when running `npm init`, so it likely represents all the people that just pressed enter without having an opinion. [1/2]

🚀 Here is @vlt.sh take on running lifecycle scripts on installs, adding another powerful capability to our query language syntax: blog.vlt.sh/blog/vlt-build #javascript #nodejs #packages

Seriously? Y'all had no idea?! HMU if you want to know about the "weaknesses" or "blind spots" with npm/GitHub or your security vendors. arstechnica.com/security/202...

Hello Internet @darcyclarke.me @wesbos.com

If you think npm's architecture is good, go watch @darcyclarke.me's talk. The dependency graph is complex and @vlt.sh is reinventing it in a smart and unique way. www.youtube.com/watch?v=o8nG...

Fantastic talk by @joyeecheung.bsky.social, a must watch to package authors that want to stay up-to-date on how to ship packages in this post require(esm) era: youtu.be/I0jvOJW7NaI #nodejs

Huge thanks to the @vlt.sh team for building something new and refreshing in the world of package managers and taunting me with LEGO to try it out. Join me and check them out: www.vlt.sh

👋🏻 If you're at @jsconf.bsky.social NA this week, come say hi to our team @vlt.sh ⚡📦 @ruyadorno.com, @lukekarrys.com & our Design Engineer (Jason Korol) will be there for both the conf & Node.js Collab Summit 🚀🐢

Why are @github.com tokens allowed to have no expiry but @npmjs.bsky.social are about to make every IT team's lives a living hell? This is just more security theatre. Think harder @microsoft.com.

A year ago, @sentry.io launched the Open Source Pledge, with one singular goal: get maintainers paid. A key pillar of the Pledge is it’s not a “pledge”, like an IOU. Rather, to join the Pledge, members come with receipts. Here’s why. 🧵

Expecting "free speech" on private platforms where you don't control the means of distribution is the definition of insane. This goes for the "left" & the "right". There'll always be limits to your "rights" when dependent on others. The limit is what's palatable to those that fund the platform.

To honor a great friend and open-source pioneer Mikeal Rogers we're organizing a "conf" and charity auction. I'll be auctioning an exclusive wagyu BBQ at my house for up to 15. Join us and ideally offer more donations! All proceeds go to his wife and 2 kids an-event-mikeal-would-have-liked.com

Just tested and it works with varlock.dev!

please do fill this out! it's one of the good surveys and I always find taking it to be informative and fun. ✨ ... and, if you're not always represented in surveys like this, it would be particularly good to hear your voice 🙏

A heads up to anyone attending the upcoming JSConf in October and locals to the Maryland state area. We're hosting the Node.js Collab Summit next October 17 and registration is now open for in-person participation: github.com/openjs-found...

Been working with @pi0.io on a great DX for the upcoming v3 of @nitro.build Stay tuned ⚡︎

Seeing the recent supply-chain attacks made me prioritize this item from our backlog as I wanted a quick way to know if any of my local projects have been affected. Meet the new vlt client `:host()` Query selector: blog.vlt.sh/blog/host-co... #javascript #nodejs #packages

🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor. Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript

ℹ️ Don't know who needs to hear this but npm has had a --before=<date> flag since v6.9.0 (02/2019): github.com/npm/cli/blob/v… Setting a relative date is easy w/: $ npm install --before="$(date -v -7d)" # & only get registry deps that are over a week olddocs.npmjs.com/cli/v11/usin...re

These attacks used to be more rare, but now we're seeing popular packages getting compromised every week. Check your dependencies. cc: @campuscodi.risky.biz

Good credentials != Good code...

Do not update to @ctrl/[email protected]. It has malware that is currently live on npm.

Honestly serious: JUST DON'T UPDATE PACKAGES RIGHT NOW. It is unclear to me yet, but this is looking pretty wide spread. Better be safe than sorry, just go touch some grass.

Typical day in life of a web dev