muhdiekuh, 1 month ago to node German

Considering that every year we have a new ambitious replacement for #npm in the JavaScript world, @naderman and @seldaek apparently did a very good job when building and maintaining #composer for #php. Thanks a lot to you two and everyone else involved.

williballenthin, 8 months ago to node

is it malware if the #npm package name tells you it’s stealing /etc/passwd?

hongminhee, 2 months ago to node

A pre-released version of #Fedify is now available on #npm!

https://www.npmjs.com/package/@fedify/fedify/v/0.5.0-dev.90

hywan, 10 months ago to node

The massive bug at the heart of the NPM ecosystem, https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem.

One more horror story about NPM 🤦.

#npm #JavaScript #ecosystem #security #safety

thisismissem, 1 year ago to random

Hrm, #npm really needs a filter for "still maintained" because there's an utterly ridiculous number of packages that are just no longer maintained, which would be really good to filter from search results

cadey, 9 months ago to javascript

Introducing nixexpr: Nix expressions for JavaScript

https://xeiaso.net/blog/nixexpr

#nix #javascript #nodejs #npm #cursed

kaiserkiwi, 8 months ago to webdev German

This is actually a pretty awesome (but lengthy) post about Bun and why you probably shouldn't jump on the train already.

Bun hype. How we learned nothing from Yarn
https://dev.to/thejaredwilcurt/bun-hype-how-we-learned-nothing-from-yarn-2n3j

#Coding #WebDev #JavaScript #NPM #Bun #BunJS #Yarn #ESBuild #Node #NodeJS

phylum, 4 months ago to opensource

We continue to identify sophisticated threats originating from the use of #opensource software packages. This time the attacker uses a signed #Microsoft executable to initiate the attack chain through an #npm package.

#malware #cybersec #infosec #javascript #reverseengineering #software #cybersecurity

https://blog.phylum.io/npm-package-found-delivering-sophisticated-rat/

tripu, 7 months ago to programming

#JS #Node #tip:

See what #npm packages your project is no longer using with this one-liner:

npx npm-check | grep -i 'notused?' | rev | cut -d'?' -f2 | cut -d' ' -f1 | rev

(Treat the list as a hint: npm-check isn’t capable of detecting all possible usages of all packages, so there might be false positives.)

rpetrich, 4 months ago to node

I spelunked into steganography to create a new feature in https://www.deciduous.app/ that lets you reimport PNGs and SVGs of your decision trees to derive the underlying YAML.

It involves some neat tricks inspired by Macromedia Fireworks (RIP), so I wrote a blog post about it: https://rpetrich.com/blog/posts/steganographic-trees-deciduous/

Deciduous now also sports a CLI (so you can #npm install it), and a bunch of lil things @shortridge and I added towards the goal of fast, easy, collaborative #threatmodeling of potential failures.

cdoremus, 5 months ago to node

Ryan Dahl's weekly #Deno video update just dropped that includes a preview of the next Deno release which will have the ability to import wasm modules, blobs (images), plain text and urls for things like CSS files. He also previews the new website, and says they are actively working on JSR. "What is that," he asks, and answers "I don't know" with a smile. My guess is JavaScript Repository, an alternative to #npm.
@deno_land
https://youtu.be/5nv2zhic6Jk?si=QJrbEznW4I6WQFb0

decaplanet, 9 months ago to typescript

@deno_land I tried Deno real quick. I think it’s actually much better than I thought. 👍

#TypeScript #JavaScript #Deno #npm

thenewoil, 5 months ago to node

#Blockchain dev’s wallet emptied in “job interview” using #npm package

https://www.bleepingcomputer.com/news/security/blockchain-devs-wallet-emptied-in-job-interview-using-npm-package/

#crypto #cybersecurity #cybercrime #scam

nurkiewicz, 2 months ago to node

From https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem

• a #npm package's manifest is published independently from its tarball
  manifests are never fully validated against the tarball's contents
• the ecosystem has broadly assumed the contents of the manifest & tarball are consistent
• any tools or insights using the public registry are susceptible to exploitation/likely inaccurate
• bad actors can hide malware & scripts in direct or transitive dependencies that go undetected

#JavaScript #NodeJS

casraf, 1 month ago to typescript

Help me reach 50 stars! 🙏 🤩

https://github.com/chenasraf/simple-scaffold

#typescript #javascript #scaffold #npm #nodejs #github

jbzfn, 5 months ago to github

🤡 Disruptive ‘everything’ JavaScript package created ‘for the meme’

「 On Dec. 29, a package titled “everything” was published to the registry, which is designed to install all other public packages in the registry. This created a registry-wide web of dependencies that effectively disabled the ability to unpublish packages on the site, as packages that other packages are dependent on cannot be unpublished 」

https://www.scmagazine.com/news/npm-registry-prank-leaves-developers-unable-to-unpublish-packages

#Github #NPM #Javascript

arendjr, 3 months ago to typescript

Received an invite for the https://jsr.io beta. This looks like a potential winner!

• First-class @deno_land support
• ESM-only
• Built-in #TypeScript
• Auto-doc generation from your TS sources
• Seamless publishing from #GitHub Actions
• #NPM integration

Especially the part where you can just publish your TypeScript package without transpilation, and they handle #NodeJS /NPM compatibility is pretty big for IMO.

YurkshireLad, 6 months ago to node

Thought I'd install #npm on #debian #linux to run a script:

"After this operation, 164 MB of additional disk space will be used."

164Mb????

#shocked

paladin, 3 months ago to php German

Your daily php-dev fitness:

composer selfupdate && composer global update && npm -g i npm npm-check-updates && ncu -g

You are welcome ;)
#php #nodejs #npm

Wuzzy, 4 months ago to node

This is defintely the funniest headline of the week: "npm flooded with 748 packages that store movies" 🤣

Well, that's ONE creative way to use #npm. 😉
Of course the movies are already deleted but still.

https://blog.sonatype.com/npm-flooded-with-748-packages-that-store-movies

anant, 3 months ago to node

#NPM based packages should mandatorily disclose whats the code size and what will be the nodes-modules folders count and total size. coz that combined together could what kind of liability i am getting myself into. #supplychain issues arise from being unaware / ignorant about your liabilities mostly.

bitexpert, 8 months ago to node German

#bitBlog Clean up old projects https://blog.bitexpert.de/blog/clean-up-old-projects #npm

andre, 4 months ago to node

I discovered a glitch in the Matrix!

A situation so unlikely I never considered it possible!

There is no #npm package for generating #Gemtext (for #Gemini resp. #Gopher)!

The closest I could find is a parser from 2020.

Plus plenty of cryptocurrency garbage.

Excuse me, there's a framework waiting to be written 😸

(If you want to turn Markdown into Gemtext, recommendations go to a Python package)

ecmascript_news, 4 months ago to javascript

How to protect your projects from the risks of deprecated npm packages
@sarahgooding @SocketSecurity
https://socket.dev/blog/the-risks-of-deprecated-npm-packages

#ECMAScript #JavaScript #npm

tanepiper, 1 month ago to node

Here's me trying to make sure we ship as secure as possible software, and there's someone who doesn't know how to use an npm ignore file to not ship their shitty docker files in their modules #node #npm