Agent skills are the new postinstall scripts... #changemymind

What do people use to stay up to date with/monitor socials these days? My feed is 🔥 with AI tools & I feel like my meat brain & thumbs can't process the thousands of experiments/insights. Do I just spin up OpenClaw & make it monitor socials w/ daily recaps?

Doing some analytics with #NPM and this is the distribution of how many downloads NPM packages typically get.

The @vlt.sh benchmark suite has been updated to include the yarn v6 canaries (still a WIP & improving all the time): benchmarks.vlt.sh

I was recently on the Changelog podcast to talk about npm's security issues, what can be done, and why the npm registry is unique amongst programming language source code registries.

nvm.sh users: please upgrade to github.com/nvm-sh/nvm/r... if you're using `wget` on your system, to fix a medium vulnerability (github.com/nvm-sh/nvm/s...).

Annnnnd it's gone. "Fed Rescinds Software Supply Chain Mandates Making SBOMs Optional". A lot of SecOps folks made a killing off this box checking. Hopefully they banked the money somewhere other than South Park: socket.dev/blog/federal...

Darcy Clarke and Ruy Adorno are longtime npm CLI maintainers and Node.js contributors. They join @joshuakgoldberg.com to discuss vlt, a new package manager and registry designed to improve performance, security, and developer experience. @darcyclarke.me @ruyadorno.com bit.ly/3YNGniF

💙 20yrs since $(this) thing made you fall in love w/ the DOM & CSS selectors. Never forget the amazing work @johnresig.com & team did to make this happen & then ensure the awesomeness got standardized in Web APIs like querySelector() & querySelectorAll(). John, thanks for all the $ 😉

@lukekarrys.com joins HalfStack Phoenix. A practical story about building for kids, using NFC cards to control music, and turning everyday interactions into something playful and intuitive. 📅 𝐉𝐚𝐧𝐮𝐚𝐫𝐲 𝟑𝟎𝐭𝐡, 𝟐𝟎𝟐𝟔 — 𝐌𝐚𝐣𝐞𝐬𝐭𝐢𝐜 𝐓𝐡𝐞𝐚𝐭𝐞𝐫, 𝐆𝐢𝐥𝐛𝐞𝐫𝐭 🎟️ halfstackconf.com/phoenix #HalfStackphoenix #TechEvents

This just in: JavaScript uses memory.

I made something new: an eslint plugin to validate your npm ecosystem lockfiles! It supports npm, pnpm, yarn, bun, and vlt, and it's already helped find a supply chain security attack vector inside a fortune 500 tech company. www.npmjs.com/package/esli...

GitHub's product leadership sure knows how to piss off developers these days

To recap, NPM allows 2FA TOTP token reuse within the token’s validity window. I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.” So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/

Looking for a maintainer. Good opportunity if you want to manage a library with a lot of users cc @reinhold.is I know storybook has its own version of this. Maybe they could be merged and managed in tandem?

Who's going to be in Las Vegas this week for AWS re:Invent? Let's chat packages & supply chain security if you're here!

The top licenses published on #npm . Number #2 is interesting because it's not really a well-known one, but it's the default choice when running `npm init`, so it likely represents all the people that just pressed enter without having an opinion. [1/2]

🚀 Here is @vlt.sh take on running lifecycle scripts on installs, adding another powerful capability to our query language syntax: blog.vlt.sh/blog/vlt-build #javascript #nodejs #packages

Seriously? Y'all had no idea?! HMU if you want to know about the "weaknesses" or "blind spots" with npm/GitHub or your security vendors. arstechnica.com/security/202...

Hello Internet @darcyclarke.me @wesbos.com

If you think npm's architecture is good, go watch @darcyclarke.me's talk. The dependency graph is complex and @vlt.sh is reinventing it in a smart and unique way. www.youtube.com/watch?v=o8nG...

Fantastic talk by @joyeecheung.bsky.social, a must watch to package authors that want to stay up-to-date on how to ship packages in this post require(esm) era: youtu.be/I0jvOJW7NaI #nodejs

Huge thanks to the @vlt.sh team for building something new and refreshing in the world of package managers and taunting me with LEGO to try it out. Join me and check them out: www.vlt.sh

👋🏻 If you're at @jsconf.bsky.social NA this week, come say hi to our team @vlt.sh ⚡📦 @ruyadorno.com, @lukekarrys.com & our Design Engineer (Jason Korol) will be there for both the conf & Node.js Collab Summit 🚀🐢

Why are @github.com tokens allowed to have no expiry but @npmjs.bsky.social are about to make every IT team's lives a living hell? This is just more security theatre. Think harder @microsoft.com.

A year ago, @sentry.io launched the Open Source Pledge, with one singular goal: get maintainers paid. A key pillar of the Pledge is it’s not a “pledge”, like an IOU. Rather, to join the Pledge, members come with receipts. Here’s why. 🧵

Expecting "free speech" on private platforms where you don't control the means of distribution is the definition of insane. This goes for the "left" & the "right". There'll always be limits to your "rights" when dependent on others. The limit is what's palatable to those that fund the platform.

To honor a great friend and open-source pioneer Mikeal Rogers we're organizing a "conf" and charity auction. I'll be auctioning an exclusive wagyu BBQ at my house for up to 15. Join us and ideally offer more donations! All proceeds go to his wife and 2 kids an-event-mikeal-would-have-liked.com

Just tested and it works with varlock.dev!

please do fill this out! it's one of the good surveys and I always find taking it to be informative and fun. ✨ ... and, if you're not always represented in surveys like this, it would be particularly good to hear your voice 🙏

A heads up to anyone attending the upcoming JSConf in October and locals to the Maryland state area. We're hosting the Node.js Collab Summit next October 17 and registration is now open for in-person participation: github.com/openjs-found...

Been working with @pi0.io on a great DX for the upcoming v3 of @nitro.build Stay tuned ⚡︎

Seeing the recent supply-chain attacks made me prioritize this item from our backlog as I wanted a quick way to know if any of my local projects have been affected. Meet the new vlt client `:host()` Query selector: blog.vlt.sh/blog/host-co... #javascript #nodejs #packages

🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor. Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript

ℹ️ Don't know who needs to hear this but npm has had a --before=<date> flag since v6.9.0 (02/2019): github.com/npm/cli/blob/v… Setting a relative date is easy w/: $ npm install --before="$(date -v -7d)" # & only get registry deps that are over a week olddocs.npmjs.com/cli/v11/usin...re

These attacks used to be more rare, but now we're seeing popular packages getting compromised every week. Check your dependencies. cc: @campuscodi.risky.biz

Good credentials != Good code...

Do not update to @ctrl/[email protected]. It has malware that is currently live on npm.

Honestly serious: JUST DON'T UPDATE PACKAGES RIGHT NOW. It is unclear to me yet, but this is looking pretty wide spread. Better be safe than sorry, just go touch some grass.

Typical day in life of a web dev

⚡ Point. Click. Discover. 🚀 We're excited to unveil a new Query Builder to @vlt.sh's UI. It's now dead simple to visually navigate complex dependency graph filters without typing a thing. No need to memorize our selector syntax (if you don't want to).

🔥 Just your yearly reminder that the JS ecosystem could be much worse off... stuck in the *first level* of "Dependency Hell" like many other ecosystems with minimal options/diversity... lucky for us, we get to face much hotter problems 😉

🚨 If you think you might be effected by the nx compromise please revoke the GitHub CLI Authorized OAuth App: github.com/settings/con... Notably, this is the only way to revoke/rotate the tokens made by/known to that app. The next time you `gh login` you can reauth.

🚀 New query-powered @vlt.sh commands just dropped! See how to release subsets of your packages with the new version, pack, and publish commands, all backed by the powerful dependency selector syntax.

🚀 Dependency Selector Syntax can now be used across @vlt.sh commands like run, exec, and pkg! This enables precise filtering when running scripts, executing commands, or getting package info. You have access to the whole graph! Read more about how it works and some example use cases:

🚀 @vercel.com now supports vlt in builds with zero config: vercel.com/changelog/vl... @vlt.sh

🚀 Excited to announce another major addition to the @vlt.sh client: Graph Modifiers! Graph Modifiers enable fine-grain customization of your install using our powerful Dependency Selector Syntax ⚡️ Read more about it here: blog.vlt.sh/blog/introdu... #javascript #nodejs #packages

Congrats to @slev.life who did the hard work and made @shiki.style's JS engine compatible with 100% of the built-in languages! github.com/shikijs/shik...

💬 @vlt.sh is starting Weekly Community Sync calls today (in ~5min actually); here's the deets: 📝 Agenda: github.com/vltpkg/vltpk... 🎙️ Join: recording.vlt.sh 🔴 Watch... On Riverside: recording.vlt.sh On YouTube: www.youtube.com/@vltpkg/live Excited to build together!

🚀 We just shipped catalog support to @vlt.sh! If you go grab the latest version you can now install & manage dependencies with pnpm-like catalog definitions (ex. `vlt i typescript@catalog:dev`). You can read more here: blog.vlt.sh/blog/catalog...