The saddest part about the npm worms for me is watching an opt in security feature be used as the delivery vector to the registry.

May was another record breaking month for total downloads on the npm registry overall. 661 billion total monthly downloads, up 4.8% from last month. The insane March +35% increase hasn’t yet meaningfully regressed jonchurch.com/npm-global-t...

It just dawned on me that "firm"ware is someplace between software and hardware.

I have a toy package Im using for publish testing, and I cannot get it to update the readme? www.npmjs.com/package/semv... Has anyone else run into this? I've seen some old threads about this, but idk if it's related to new OIDC/staged publishing or something silly im not seeing

AI is best used to guilt trip your friends into going to Cracker Barrel with you

Tortoises Without Bordoises #WorldTurtleDay

A little history lesson on the new @npmjs.bsky.social "Staged Publishing": github.com/npm/rfcs/pul... We had this mostly designed back in 2020 on the RFC calls. You cannot believe how happy I am to see this come to fruition. Great work team!

LETS FUCKING GOOOO!!! docs.npmjs.com/staged-publi...

Btw, you can give gh cli a readonly token instead of the normal gh auth method which will have write. Drastically reduces blast radius if you are concerned about your gh cli token being stolen (which you should be) gh auth login —with-token hit enter Then paste the token, it will persist for you

In summary, what I learned is that the poisoned cache caused trojan versions of the checkout and cache GH actions to be restored over the their true versions within the release job. This is known as Cacheract, the vuln discovered by @adnanthekhan.bsky.social github.com/AdnaneKhan/C...

Does anyone have a link to an in depth write up of the tanstack attack, the CI compromise bit? I ask bc I am doing my own analysis and the official post mortem doesnt seem to get all the details right. That or I am misunderstanding something, so want to see if a real expert has written this up

Okay so adding cache to the list of github actions feature surface to always be terrified of adnanthekhan.com/posts/clinej...

tbh I didnt know whoopi was still on The View

There is no Trusted Publishing setup which prevents a compromised repo admin's github PAT from triggering an npm publish, right? I've spent months trying to find something, but deploy envs w/ required reviews, workflow guards, branch protections, signed tags. All of it can be overwritten w/o 2fa

devEngines started as @geoffreybooth.bsky.social and I in DMs 2 years ago. It's now supported in @npmjs.bsky.social & @pnpm.io, and later this month will be our recommended way for developers at Netflix to define runtime and package manager versions in their projects. docs.npmjs.com/cli/v11/conf...

Rebranding the bullet point fetish of llms "bullet pontification"

added OG image to my little npm reg total download trend site, so here's a reminder to keep an eye on this, hopefully one day we find out why exactly downloads have exploded! No idea if its agents (sandboxes), security scanning companies, or model training ¯\_(ツ)_/¯ jonchurch.com/npm-global-t...

So... we've decided to change things up. NodeConf EU 2026 will be hosted in Bologna, Italy this year. The dates are set for September 29th and 30th, 2026.

Theres been an npmx bug that’s bothered me for a few weeks now. User profiles are showing almost random packages. Its a subset of your packages, first I thought it was dropping anything in an npm org dug a little and it was worse. It shows packages _where the gh user is the same as the npm user_

🪿 There are some wild takes out there right now about open source being “dead” after recent supply chain attacks and rapid advances in AI-driven security. Let’s talk goosenomics for a minute. → socket.dev/blog/dont-ki...

jokes on them, ignoring my inbox has long been part of my security posture

We released a lodash patch today, everything went well so havent really thought about it since. A non event. Released a minor yesterday, and it broke stuff and immediately heard about it. Couldnt stop thinking about it until we fixed it EoD today 🫠

Okay so adding cache to the list of github actions feature surface to always be terrified of adnanthekhan.com/posts/clinej...

belt-and-suspenders

lodash just had its first ever 100M+ download week on npm that's a 70% YoY increase

its frustrating that the remote claude code env is missing some tools. For me its the missing gh cli that really hurts, for reading issues/PRs or otherwise doing read against GH So I created this StartSession script which ensures it is installed in remote sessions www.npmjs.com/package/@jon...

i do like the computer

In my OSS archaelogy efforts I keep bumping into the defunct Component.js pre-npm registry and UI framework paradigm Just found this video explainer from their homepage focusing on the ui component runtime system, really capturing a point in time www.youtube.com/watch?v=gtz7...

I spent almost $3k on Google BigQuery by accident while exploring dependency relationships in the deps.dev dataset WOOF

Our goal is to provide guidance and tooling for perf based decisions to the maintainers under our umbrella. Aligning our philosophy for how/what we monitor and how to interpret the results lets us be consistent across our 50+ packages. Ive been learning a lot so far, and big ty to @rafaelgss.dev

There are 39 ads on a given article from for my town’s local paper beyond cooked www.gainesville.com/story/news/l...

The Pitt: every week Brad Pitt unveils a new pit full of bullshit and throws people into it. Everyone loves the pit

I just learned that setting process.noDeprecation = true Silences dep notifications from node, its what —no-deprecation flag ends up setting I know its hacky, but how hacky?

🚀 Exciting Announcement today! Express v5 is officially "latest" and we have started the maintenance period for v4. Read more about the release and our LTS plans in our blog post: expressjs.com/2025/03/31/v...

Not sure this is the one, but pretty sure it is. @bjohansebas.bsky.social has been doing such great work it is awesome to see this kind of recognition! Well deserved.

I love getting nerdsniped on HTTP spec related stuff, and am glad I quit my job to have space in my life for this was fun to figure out what probably happened with content-disposition having in incomplete regex for parsing extended filename parameters: github.com/jshttp/conte...

Whats the purpose here of exfil to oastify vs requestbin? Does oastify enrich the exfil or is it just a convenient and innocuous endpoint?

top tier scam message

Approach open source as an infinite, open game. Prioritize purpose over goals, collaboration over competition, and legacy over ownership

Woah I didnt realize you can create your own algorithmic feeds! But also like hey @bsky.app which one of you is the Alf freak? 👀 docs.bsky.app/docs/starter...

So what are github action threats for public repos? Talking about allowing CI on PRs from forks Assume that im using “pull_request” trigger and have the default perms for actions GH defaults you to having to approve runs. In the above scenario, is it really a risk to let all of them run?

Still extremely enjoying the wipeout soundtrack from @coldstorage.bsky.social open.spotify.com/artist/1TvIL...