Considering that every year we have a new ambitious replacement for #npm in the JavaScript world, @naderman and @seldaek apparently did a very good job when building and maintaining #composer for #php. Thanks a lot to you two and everyone else involved.
Hrm, #npm really needs a filter for "still maintained" because there's an utterly ridiculous number of packages that are just no longer maintained, which would be really good to filter from search results
We continue to identify sophisticated threats originating from the use of #opensource software packages. This time the attacker uses a signed #Microsoft executable to initiate the attack chain through an #npm package.
I spelunked into steganography to create a new feature in https://www.deciduous.app/ that lets you reimport PNGs and SVGs of your decision trees to derive the underlying YAML.
Deciduous now also sports a CLI (so you can #npm install it), and a bunch of lil things @shortridge and I added towards the goal of fast, easy, collaborative #threatmodeling of potential failures.
Ryan Dahl's weekly #Deno video update just dropped that includes a preview of the next Deno release which will have the ability to import wasm modules, blobs (images), plain text and urls for things like CSS files. He also previews the new website, and says they are actively working on JSR. "What is that," he asks, and answers "I don't know" with a smile. My guess is JavaScript Repository, an alternative to #npm. @deno_land https://youtu.be/5nv2zhic6Jk?si=QJrbEznW4I6WQFb0
🤡 Disruptive ‘everything’ JavaScript package created ‘for the meme’
「 On Dec. 29, a package titled “everything” was published to the registry, which is designed to install all other public packages in the registry. This created a registry-wide web of dependencies that effectively disabled the ability to unpublish packages on the site, as packages that other packages are dependent on cannot be unpublished 」
Especially the part where you can just publish your TypeScript package without transpilation, and they handle #NodeJS /NPM compatibility is pretty big for IMO.
#NPM based packages should mandatorily disclose whats the code size and what will be the nodes-modules folders count and total size. coz that combined together could what kind of liability i am getting myself into. #supplychain issues arise from being unaware / ignorant about your liabilities mostly.
Here's me trying to make sure we ship as secure as possible software, and there's someone who doesn't know how to use an npm ignore file to not ship their shitty docker files in their modules #node#npm
So many #npm projects have a lot of crap in node_modules that are really not needed when deploying apps - SO MANY DOT FILES. I built a script that will clear them all out recursively, just leaving required files. Will probably add *.ts when creating containers.