"The state of the art is no longer in finding more sophisticated ways to build JavaScript or CSS. It's not to build at all. To lean on HTTP/2 and the now universal support for import maps to avoid bundling."
Arguably optimizing for 0-dependencies packages is kinda wrong in some cases, because if you use 100 packages, each with 0 dependencies, then most likely there is going to be a decent amount of code duplication in there, and the packages won't necessarily work well together.
๐จ Latest issue of my curated #cybersecurity and #infosec list of resources for week #39/2023 is out! It includes the following and much more:
โ ๐ #GitHub repos bombarded by info-stealing commits masked as #Dependabot
โ ๐ฏ๐ต ๐ธ #Sony Investigating After Hackers Offer to Sell Stolen Data
โ ๐ #BORN Ontario child registry #databreach affects 3.4 million people
โ ๐ญ๐ฐ ๐ Personal data of 25,000 Hongkongers at risk after #cyberattack against consumer watchdog, up from earlier estimate of 8,000
โ ๐บ๐ธ ๐ National Student Clearinghouse data breach impacts 890 #schools
โ ๐จ๐ฆ โ๏ธ #AirCanada discloses data breach of employee and 'certain records'
โ ๐ฐ๐ต ๐ช๐ธ North Korean hackers posed as #Meta recruiter on #LinkedIn
โ ๐ฅ ShadowSyndicate: A New #Cybercrime Group Linked to 7 #Ransomware Families
โ ๐ท๐บ โ๏ธ Russian flight booking system suffers โmassiveโ cyberattack
โ ๐จ๐ณ ๐บ๐ธ Chinese hackers stole emails from US State Dept in #Microsoft breach, Senate staffer says
โ ๐จ๐ณ Chinese Hackers TAG-74 Targets South Korean Organizations in a Multi-Year Campaign
โ ๐บ๐ฆ ๐ Ukrainian Military Targeted in Phishing Campaign Leveraging #Drone Manuals
โ ๐ฅท๐ป ๐ฐ Hackers steal $200M from #crypto company #Mixin
โ ๐ณ๐ฌ โ๏ธ Nigerian man pleads guilty to attempted $6 million BEC email heist
โ ๐บ๐ธ โ๏ธ ShinyHunters member pleads guilty to $6 million in data theft damages
โ ๐จ๐ณ #China-Linked Budworm Targeting Middle Eastern #Telco and Asian Government Agencies
โ ๐จ๐ณ ๐ช Backdoored firmware lets China state hackers control #routers with โmagic packetsโ
โ ๐บ๐ธ ๐ฎ๐ปโโ๏ธSecurity researcher warns of chilling effect after feds search phone at #airport
โ ๐ฆ โ๏ธFBI Warns Organizations of Dual Ransomware, Wiper Attacks
โ ๐ค ๐ฆ #Bing Chat responses infiltrated by ads pushing #malware
โ ๐ฅ ๐ฃ Red Cross-Themed #Phishing Attacks Distributing DangerAds and AtlasAgent Backdoors
โ ๐ฅท๐ป ๐ #SSH keys stolen by stream of malicious #PyPI and #npm packages
โ ๐ฆ ๐ New Variant of #Banking#Trojan BBTok Targets Over 40 Latin American Banks
โ ๐ฆ ๐ช #Deadglyph: New Advanced Backdoor with Distinctive Malware Tactics
โ ๐ #Sysdig Launches Realtime Attack Graph for Cloud Environments
โ ๐ ๐จ Critical vulnerabilities in #Exim threaten over 250k #email servers worldwide
โ ๐ Progress warns of maximum severity WS_FTP Server vulnerability
โ ๐ฉน ๐ฅ #Google fixes fifth actively exploited Chrome zero-day of 2023
โ ๐ฉน ๐ #macOS 14 #Sonoma Patches 60 #Vulnerabilities
โ ๐ฉน ๐ฆ #Firefox 118 Patches High-Severity Vulnerabilities
โ ๐คซ โ Google quietly corrects previously submitted disclosure for critical #webp 0-day
โ ๐ ๐ช๐ฌ 0-days exploited by commercial surveillance vendor in #Egypt
๐ This week's recommended reading is: "Philosophy of Cybersecurity" by @LukaszOlejnik and Artur Kurasinski
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end โฌ๏ธ
Anybody know how to stop npm using "git+ssh://git@github.com/org/repo" URLs in package-lock.json files even if the dependency is using "https://github.com/org/repo"
Manage software programs on your windows device with the awesome tool WinGetUI!
A graphical user interface to manage packages from the most common package managers for windows, such as Winget, Scoop, Chocolatey, Pip, Npm and .NET Tool.
Hey @astro, I tried running a brand new Astro project with #npm but there seems to be an issue when installing the dependencies?
When running "npm run dev" it cannot find the "astro" command. When installing it with #yarn everything works fine and as expected (no error during dependency install). ๐คทโโ๏ธ
I had a bad experience with npm-shrinkwrap.json recently. I read the documentation and took care, but it wasnโt enough. Based on that, my current opinion is that #npm#shrinkwrap is unusable for its intended purpose. That seems absurd and I am happy to learn what Iโm doing wrong. Hereโs a brief summary:
Meta, a near trillion-dollar mega corp, is bullying #opensource devs by spamming cease-and-desists (including to 15-year-olds instead of praising their genius) to unfairly eliminate competition to their #whatsapp#npm package (complete details here: https://i.imgur.com/FJZakpH.png) @eff
Every time I do a change on the website, which is not content, I also try to update the dependencies. Otherwise I might end up with a huge mess in the future.
Parts of the #NodeJS#NPM repo are full of essentially private forks that are polluting the public commons. Here, the main project, passport-saml is well-maintained and up-to-date with security fixes.
The foxden fork, as an example, removed the README and changed the license to "unlicensed" (which I'm not sure is even legal). Notice how most forks don't even bother to update the description to give a hint why there for is different.