Following the various malware issues, #pypi follows #github and #npm 's footsteps and accounts that manage a project will require #2fa
npm provenance: How to get a simple and secure release pipeline
Is there a language that handles dependencies well?
@jameskoole I am tempted to give #CraftCMS a try since I already have experience with it at my day job and it is a #PHP based CMS. Probably my only hang-up with it is that frontend wise, and even content wise, you have to build it all from scratch. That has it's pros & cons. It did sign-up for #Ghost way back when it first launched. I think the #NodeJS server-side part is probably the biggest turn-off for me. I also manage a #StrapiCMS site and I have to deal with #NPM dependency hell.
> Orogene is a next-generation package manager for tools that use node_modules/, such as bundlers, CLI tools, and Node.js-based applications. It's fast, robust, and meant to be easily integrated into your workflows such that you never have to worry about whether your node_modules/ is up to date.
It’s really faster than other tools, check the benchmarks, https://github.com/orogene/orogene/blob/main/BENCHMARKS.md.
Would love for the #npm / #NodeJS community to follow this and make a “npm-vet” command together with published decentralized audits like these: https://opensource.googleblog.com/2023/05/open-sourcing-our-rust-crate-audits.html
https://marketplace.visualstudio.com/items?itemName=codeandstuff.package-json-upgrade - See upgradable #npm packages in a #Node app and upgrade them visually in #VSCode
Is there a good linter for `package.json` (package exports, etc.)?
#npm is hiring in the US: Senior Software Engineer, npm at GitHub
Released a new very simple 25 lines of code #npm module that validates #conventionalCommits messages in eg. a #husky "commit-msg" #gitHook: https://github.com/voxpelli/validate-conventional-commit
Great for use with eg #releasePlease to achieve #npmProvenance on #GitHubActions
Ich würde gerne selbst Dienste/Apps auf unseren Servern installieren und betreiben können; kann aber mit Befehlen wie #npm-install oder Frameworks wie #nodejs und #Docker-Containern etc. nicht wirklich etwas anfangen. Das scheint mir aber die Grundlage zu sein, den Überblick zu haben.
Ganz konkret habe ich Services im Auge, die unsere Nextcloud mit einem Onlyoffice Server zu ergänzen, ggf. ein Moodle betreiben oder gar eine eigene Mastodon-Instanz hochziehen.
Wo fange ich da am besten an?
This weekend PyPi, the python software repository, suspended new accounts: the level of malicious activity has become unmanageable.
But this story is not just about Python: the level of risk from software dependencies has risen unimaginably: not a little, not a lot, this is big enough that it is hard to communicate and comprehend.
The number of methods being used for these attacks is growing, and developers are now a "target of choice" for many criminal groups.
For example, in 2022 there was a sudden increase in the number of an effectiveness of "Phishing as a Service" (PhaaS) offerings in criminal markets. These services are effective at bypassing MFA. However, you may not know that these services are being used to target developer accounts, including repositories of private and open-source software. They want to trojanize the code and create the next big software-supply-chain compromise.
PhaaS is just one method. This weekend's announcement from PyPi was the result of criminals creating a large number of developer accounts so that they can publish malicious clones of existing packages. Typosquatting of packages is not a new phenomena, the constant stream of attacks is new.
You might assume that the repository hosts or managers must have a solution. They do not. The problems are diverse and many: from the management of repository hosting, to the security/trust verification features of packaging systems, to the security of repositories and the developers themselves.
There is no one solution, but solutions are needed.
My action item for you is this. Do not read cybesecurity about software repository compromises in isolation. Look at the forest and not the trees. Big risks are harder to understand that little ones but need the most urgent action.
Below are a small selection of stories in the comments to get you started. This is just a tiny fraction of the stories I have read and analyzed in the past year. The "hits just keep on coming".
#SoftwareDeveloper #GitHub #PyPi #NPM #Java #Python #CyberSecurity #PhishingAsAService #ThreatIntelligence #CTI #PhaaS #TypoSquatting #VSCode #Malware #SoftwareSupplyChain
「開発者向けアラート: Node.js 用の NPM パッケージには危険な TurkoRat マルウェアが隠されています 」： The Hacker News
nodejs-encrypt-agent (バージョン 6.0.2、6.0.3、6.0.4、および 6.0.5)
nodejs-cookie-proxy-agent (バージョン 1.1.0、1.2.0、1.2.1、1.2.2、1.2.3、および 1.2.4)、および
axios-proxy (バージョン 1.7.3、1.7.4、1.7.7、1.7.9、1.8.9、および 1.9.9)
@georgeharito @randomgeek @codinghorror Oh, that was just the wake-up call that the script kiddies needed adult supervision. #npm got it in the form of being bought by #Microsoft-owned #GitHub. Careful what you wish for.
The punchline is that @isaacs wrote npm in reaction to how “terribly” #PHP’s #PEAR and #Perl’s #CPAN did package management.
infrastruktur. skal. ikke. og. kan. ikke. "lønne". seg
The idea of publishing npm built-ins (mostly) as-is, is fairly common in relation to tools like browserify.
Those tools can't easily read the source code otherwise and/or the built-in version might not be standalone (eg rely on Node or V8 internals) in a way that would make it work in a browser environment. It also helps control which version is embedded in the build, which otherwise varies by developer env's Node version.
Why would anyone use the `path` package from npm instead of Node’s `path` module?
Just found it in one of my own projects, where I'm the only contributor… 😅
Is #npm down? Bruh
shoutouts for unmoveable dotfiles/dirs go out to:
- #npm's cacache (who literally closed my Issue on github about this)
- steam (three times)
- yarn (cache uses XDG_CACHE_HOME, but rc file can't be moved)
- adb (just ignores env var config)
- those .gtkrc files that ignore env var configs
I wrote a dumb article and now you have to suffer me linking to it: https://dev.to/tigt/how-to-succeed-in-open-source-without-really-trying-really-55pj
Import maps, the new browser standard, open up a world of possibilities for factoring and optimizing web pages and experiences. In this post, we explore one of them briefly: developing a static import-map-based #CDN to serve your #NPM packages. (https://bennypowers.dev/posts/import-map-cdn/)
Hrm, #npm really needs a filter for "still maintained" because there's an utterly ridiculous number of packages that are just no longer maintained, which would be really good to filter from search results
So 5 years ago @joshbressers and I discussed the #NPM #leftpad situation https://opensourcesecurity.io/2023/05/07/episode-374-the-event-we-called-left-pad-episode-77-remaster-part-1/ TL;DR: Somethings have changed, the ecosystem owners are definitely doing a better job of minimizing harm, but we still have a ways to go.
** Even better news for developers! **
We’re announcing our new #API Wrapper for #react
Git Repo → https://github.com/frontendnetwork/vegancheck-api-wrapper
Now on #npm:
Run → npm i @frontendnetwork/vegancheck
NPM → https://www.npmjs.com/package/@frontendnetwork/vegancheck
Julie #Gervais et Claire #Lemercier parlent des services publics et du cercle de la raison : "Le privé n’assiège pas l’État – après tout, les consultants répondent à des appels d’offres. Mais force est de constater qu’au terme de leur formation dans les grandes écoles nos très hauts fonctionnaires et nos dirigeants politiques sont convaincus de la supériorité du général sur le particulier, et font de la rentabilité financière un objectif central et universel, pour le public comme pour le privé. Cette foi préside ensuite aux règles de gestion des #servicesPublics. Les cadres qui veulent grimper dans la hiérarchie doivent aussi y adhérer."
https://www.telerama.fr/debats-reportages/deconnexion-du-terrain-injonction-au-profit-pourquoi-les-gouvernements-echouent-a-ameliorer-les-services-publics-7015430.php #LOLF #T2A #NPM #sociologie #colonialité #méritocratie #citation
npm packages are no longer signed with PGP signatures
Probleme de renouvellement de certificat Let's Encrypt NPM
Si vous rencontrez un souci sur la certification …
#npm #NginxProxyManager #pip #zope #lienstechsystemfr
Error while using create-react-app #commandline #nodejs #npm
Dependabot relieves alert fatigue from npm devDependencies #github #npm https://github.blog/2023-05-02-dependabot-relieves-alert-fatigue-from-npm-devdependencies/
Dependabot relieves alert fatigue from npm devDependencies
Check it out! 👇
#SupplyChainSecurity #Npm #Dependabot #Security #Product #OpenSource
I hate #npm and node_modules with all my being
it stopped working without a reason, it compiles fine on the server, not on my machine 🤦♀️
Todo dia, muita gente pega um pacote aleatório do #NPM que aparentemente resolve um problema e começa a usar no seu projeto sem dar muito trabalho de pensamento em segurança ou auditoria. Isso é comum, e também uma das principais causas de problemas
Managed to get my #Glitch startup time down to ~5 seconds from ~15 seconds with a combination of two things:
- A webhook in the deployed app that's triggered whenever a push event happens, which force-pulls from the "glitch" branch if conditions are met
- A #GitHub workflow that trims and packages the repository then force-pushes to the "glitch" branch to eliminate the package installation step when Glitch is refreshed
npm install looking at my available storage.
@thePunderWoman I guess #NPM does use "bin" as referring to executables, which is kind of the same mistake? Though that's usually not used when referring to a build output.
I've been updating my site at https://starbreaker.org/ with #IndieWeb #microformats.
#IndieAuth for starbreaker.org works.
h-card is implemented.
h-entry validation still needs a bit of work.
And I haven't gotten around to #WebMentions yet, but there's a #npm package I can run on one of my machines at home as a cron job to check my #RSS feed and send them. Receiving them will entail some more work...
Introducing npm package provenance
I've officially released my first #webComponent on #npm - Formula - https://www.npmjs.com/package/@webhelpers/formula
It works with any static HTML5 form and turns into a Reactive Form, all you need to do is wrap the form in `<formula-form>` and it starts working - Demo here https://stackblitz.com/edit/vitejs-vite-skkuff?file=index.html
Increase trust in your #npm packages and improve supply chain #security with #GitHub Actions https://github.blog/2023-04-19-introducing-npm-package-provenance/
Well, this is *very* nice. Provenance statements on #npm for releases that can be traced back to specific commits + build scripts.
So I add this to my .npmrc's now:
#npm now allows to link a published package to the exact source it was built from:
"when you build your #NPM projects on GitHub Actions, you can publish Provenance alongside your package"
Say I've got a handful of #NPM packages, and they share a few common dependencies, and a list of versions for each package, so:
I need to generate the smallest number of #semver-compatible bundles of the shared dependencies.
So given a list of specific package specs, I need a function that returns a list of highest-semver-compatible dep specs
in: `[ 'email@example.com', 'firstname.lastname@example.org',]`
out: `['email@example.com', 'firstname.lastname@example.org']`
Is there already a tool that can do that?
“Flat node_modules is not the only way” by @zkochan
[How pnpm manages node_modules]
#NodeJS #npm #pnpm
Also, released the #npm module just to get it available so I could build the demo - and it's already got over 150 downloads without any advertising it 🤔
If you're looking for an alternative to cross-fetch that has node.js 18+ support (for native fetch), then you might be interested in this from my former employer: https://github.com/inrupt/universal-fetch
npm install @inrupt/universal-fetch
Socket `npm` wrapper feedback update
Urgh, there are a gazillion monaco-editor-vue3 packages on npm.
How should you find the right one?
Does anyone have a recommendation?
Or maybe a lighter-weight alternative to monaco?
Edit: @niklaskorz has recommended #CodeMirror, which looks great! Thank you! ❤️
Why is the user experience for #npm and #pip so awful when you have to deal with private repos?
Both tools like to make it impossible to install anything when a credential expires/repo is unreachable and you get useless error messages and have to spend hours googling/ asking 6 people before you find which config file (local? global? other?) has the ref to the private repos
It knows exactly what it is and isn't, never breaks on me, is incredibly missed when it's not there. Unproblematic king 👑
#nodejs #js #webDev #webDevelopment #frontEnd #web #npm #node #programming
First #GitHub now #npm 😪 🤮
Are we really giving Open-Source all into one giant coorps hands?