#NPM

#JavaScript #RustLang #npm #node_modules #PackageManager #performance

Orogene, https://orogene.dev/.

> Orogene is a next-generation package manager for tools that use node_modules/, such as bundlers, CLI tools, and Node.js-based applications. It's fast, robust, and meant to be easily integrated into your workflows such that you never have to worry about whether your node_modules/ is up to date.

It’s really faster than other tools, check the benchmarks, https://github.com/orogene/orogene/blob/main/BENCHMARKS.md.

Benchmarks of orogene vs other tools with a warm cache. yarn takes around 13s, pnpm 5-6s, npm 18s, bun and orogene less than 1s.

Pelle Wessman

Would love for the #npm / #NodeJS community to follow this and make a “npm-vet” command together with published decentralized audits like these: https://opensource.googleblog.com/2023/05/open-sourcing-our-rust-crate-audits.html

robrich

https://marketplace.visualstudio.com/items?itemName=codeandstuff.package-json-upgrade - See upgradable #npm packages in a #Node app and upgrade them visually in #VSCode

Axel Rauschmayer

Is there a good linter for `package.json` (package exports, etc.)?
#npm #JavaScript #NodeJS

Markus Tacker

#npmRelease #newNpmModule

#npm is hiring in the US: Senior Software Engineer, npm at GitHub
https://boards.greenhouse.io/github/jobs/5063280

Pelle Wessman

6 days ago

Released a new very simple 25 lines of code #npm module that validates #conventionalCommits messages in eg. a #husky "commit-msg" #gitHook: https://github.com/voxpelli/validate-conventional-commit

Great for use with eg #releasePlease to achieve #npmProvenance on #GitHubActions

David Lohner

The Cybersecurity Librarian :donor:

Ich würde gerne selbst Dienste/Apps auf unseren Servern installieren und betreiben können; kann aber mit Befehlen wie #npm-install oder Frameworks wie #nodejs und #Docker-Containern etc. nicht wirklich etwas anfangen. Das scheint mir aber die Grundlage zu sein, den Überblick zu haben.

Ganz konkret habe ich Services im Auge, die unsere Nextcloud mit einem Onlyoffice Server zu ergänzen, ggf. ein Moodle betreiben oder gar eine eigene Mastodon-Instanz hochziehen.
Wo fange ich da am besten an?

4/4

#SoftwareDeveloper #GitHub #PyPi #NPM #Java #Python #CyberSecurity #PhishingAsAService #ThreatIntelligence #CTI #PhaaS #TypoSquatting #VSCode #Malware #SoftwareSupplyChain

This weekend PyPi, the python software repository, suspended new accounts: the level of malicious activity has become unmanageable.

But this story is not just about Python: the level of risk from software dependencies has risen unimaginably: not a little, not a lot, this is big enough that it is hard to communicate and comprehend.

Python (pypi), Javascript (npm), Java (maven), Ruby, and even VS Code extensions are all under constant unrelenting attack. When a single package is trojanized, that threat is inherited by every application that include the compromised package.

The number of methods being used for these attacks is growing, and developers are now a "target of choice" for many criminal groups.

For example, in 2022 there was a sudden increase in the number of an effectiveness of "Phishing as a Service" (PhaaS) offerings in criminal markets. These services are effective at bypassing MFA. However, you may not know that these services are being used to target developer accounts, including repositories of private and open-source software. They want to trojanize the code and create the next big software-supply-chain compromise.

PhaaS is just one method. This weekend's announcement from PyPi was the result of criminals creating a large number of developer accounts so that they can publish malicious clones of existing packages. Typosquatting of packages is not a new phenomena, the constant stream of attacks is new.

You might assume that the repository hosts or managers must have a solution. They do not. The problems are diverse and many: from the management of repository hosting, to the security/trust verification features of packaging systems, to the security of repositories and the developers themselves.

There is no one solution, but solutions are needed.

My action item for you is this. Do not read cybesecurity about software repository compromises in isolation. Look at the forest and not the trees. Big risks are harder to understand that little ones but need the most urgent action.

Below are a small selection of stories in the comments to get you started. This is just a tiny fraction of the stories I have read and analyzed in the past year. The "hits just keep on coming".

https://www.bleepingcomputer.com/news/security/pypi-temporarily-pauses-new-users-projects-amid-high-volume-of-malware/
https://www.zdnet.com/article/security-warning-for-software-developers-you-are-now-prime-targets-for-phishing-attacks/
https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-with-more-than-45k-downloads-steal-pii-and-enable-backdoors/
https://therecord.media/malware-found-in-npm-package-with-millions-of-weekly-downloads
https://blog.phylum.io/a-pypi-typosquatting-campaign-post-mortem/
https://www.zdnet.com/article/android-warning-these-malicious-apps-had-over-a-million-downloads-from-google-play/
https://www.bleepingcomputer.com/news/security/malicious-microsoft-vscode-extensions-steal-passwords-open-remote-shells/
https://www.bleepingcomputer.com/news/microsoft/vscode-marketplace-can-be-abused-to-host-malicious-extensions/

Screenshot of an announcement from the PyPI python repository that they are suspending registration of new accounts due to malicious activity.

BLACKVOID ⚫️

@drh Using #docker and #npm ( #nginx #proxy manager) if that will be of any help

ottoto

https://thehackernews.com/2023/05/developer-alert-npm-packages-for-nodejs.html

「開発者向けアラート: Node.js 用の NPM パッケージには危険な TurkoRat マルウェアが隠されています」： The Hacker News

「不正なパッケージとその関連バージョンのリストを以下に示します。

nodejs-encrypt-agent (バージョン 6.0.2、6.0.3、6.0.4、および 6.0.5)
nodejs-cookie-proxy-agent (バージョン 1.1.0、1.2.0、1.2.1、1.2.2、1.2.3、および 1.2.4)、および
axios-proxy (バージョン 1.7.3、1.7.4、1.7.7、1.7.9、1.8.9、および 1.9.9)
」

#prattohome #TheHackerNews #npm #マルウェア

J👀

My company just received the new corporate #Website from the Web agency. It uses #NPM for dependencies. 250 MB of them for a single-page Website that uses less than 1MB.

What a funny world Website development is...

Mark Gardner ‍:sdf:

@georgeharito @randomgeek @codinghorror Oh, that was just the wake-up call that the script kiddies needed adult supervision. #npm got it in the form of being bought by #Microsoft-owned #GitHub. Careful what you wish for.

The punchline is that @isaacs wrote npm in reaction to how “terribly” #PHP’s #PEAR and #Perl’s #CPAN did package management.

Demotivational poster of a sinking ship captioned, “Mistakes: It could be that the purpose of your life is only to serve as a warning to others.”

benteh

https://www.nrk.no/vestland/prosjektet-blei-ulonsamt-da-vegvesenet-la-50-kr-literen-til-grunn_-_-ein-_shit-in_-shit-out_-rapport-1.16410456

infrastruktur. skal. ikke. og. kan. ikke. "lønne". seg

#npm #tullespråk

Timo Tijhof

@nhoizey

The idea of publishing npm built-ins (mostly) as-is, is fairly common in relation to tools like browserify.

Those tools can't easily read the source code otherwise and/or the built-in version might not be standalone (eg rely on Node or V8 internals) in a way that would make it work in a browser environment. It also helps control which version is embedded in the build, which otherwise varies by developer env's Node version.

Nicolas Hoizey

https://www.npmjs.com/package/path

Why would anyone use the `path` package from npm instead of Node’s `path` module?

Just found it in one of my own projects, where I'm the only contributor… 😅

#Node #npm

⚓️ https://nicolas-hoizey.com/notes/2023/05/12/1/

Is #npm down? Bruh

shoutouts for unmoveable dotfiles/dirs go out to:

- vscode
- mozilla
- #npm's cacache (who literally closed my Issue on github about this)
- steam (three times)
- yarn (cache uses XDG_CACHE_HOME, but rc file can't be moved)
- adb (just ignores env var config)
- those .gtkrc files that ignore env var configs

Taylor “Tigt” Hunt

I wrote a dumb article and now you have to suffer me linking to it: https://dev.to/tigt/how-to-succeed-in-open-source-without-really-trying-really-55pj

#svg #oss #npm

Benny Powers 🇨🇦️🇮🇱️

Import maps, the new browser standard, open up a world of possibilities for factoring and optimizing web pages and experiences. In this post, we explore one of them briefly: developing a static import-map-based #CDN to serve your #NPM packages. (https://bennypowers.dev/posts/import-map-cdn/)

Emelia 👸🏻

Hrm, #npm really needs a filter for "still maintained" because there's an utterly ridiculous number of packages that are just no longer maintained, which would be really good to filter from search results

kurtseifried (he/him)

So 5 years ago @joshbressers and I discussed the #NPM #leftpad situation https://opensourcesecurity.io/2023/05/07/episode-374-the-event-we-called-left-pad-episode-77-remaster-part-1/ TL;DR: Somethings have changed, the ecosystem owners are definitely doing a better job of minimizing harm, but we still have a ways to go.

VeganCheck.me

** Even better news for developers! **

We’re announcing our new #API Wrapper for #react
Git Repo → https://github.com/frontendnetwork/vegancheck-api-wrapper

Now on #npm:
Run → npm i @frontendnetwork/vegancheck
NPM → https://www.npmjs.com/package/@frontendnetwork/vegancheck

Estelle Platini