Masthash

#Npm

Seb
12 hours ago

Following the various malware issues, #pypi follows #github and #npm 's footsteps and accounts that manage a project will require #2fa

https://www.bleepingcomputer.com/news/security/pypi-announces-mandatory-use-of-2fa-for-all-software-publishers/

AlternativeTo
2 days ago

#Deno, the runtime for JavaScript and TypeScript, has released version 1.34 which enhances the developer experience and compatibility with #npm and #NodeJS.
https://alternativeto.net/news/2023/5/deno-1-34-released-with-better-compatiblity-with-npm-and-node-js/

Justin 🇻🇦
3 days ago

Is there a language that handles dependencies well?

Python's virtual environments are a bit awkward but everything mostly works, I haven't played with Java build tools much, Javascript is a trainwreck. I've been happy with Dart, but haven't gotten into the weeds much. Same with rust, cargo seems nice, but I haven't played with it enough to know the pitfalls yet.

#programming #dependencies #python #java #javascript #dart #flutter #rust #cargo #pip #npm #yarn

Tim Nolte
4 days ago

@jameskoole I am tempted to give #CraftCMS a try since I already have experience with it at my day job and it is a #PHP based CMS. Probably my only hang-up with it is that frontend wise, and even content wise, you have to build it all from scratch. That has it's pros & cons. It did sign-up for #Ghost way back when it first launched. I think the #NodeJS server-side part is probably the biggest turn-off for me. I also manage a #StrapiCMS site and I have to deal with #NPM dependency hell.

@chris

Steffo
4 days ago

#GitHub reports that my package has dependents that are not listed on #NPM 🤔

Repositories that depend on @steffo/bluelib

@infinitebrahmanuniverse/nolb-_stef
@zalastax/nolb-_stef
@steffo/bluelib-react

Orogene, https://orogene.dev/.

> Orogene is a next-generation package manager for tools that use node_modules/, such as bundlers, CLI tools, and Node.js-based applications. It's fast, robust, and meant to be easily integrated into your workflows such that you never have to worry about whether your node_modules/ is up to date.

It’s really faster than other tools, check the benchmarks, https://github.com/orogene/orogene/blob/main/BENCHMARKS.md.

#JavaScript #RustLang #npm #node_modules #PackageManager #performance

Benchmarks of orogene vs other tools with a warm cache. yarn takes around 13s, pnpm 5-6s, npm 18s, bun and orogene less than 1s.
Pelle Wessman
5 days ago

Would love for the #npm / #NodeJS community to follow this and make a “npm-vet” command together with published decentralized audits like these: https://opensource.googleblog.com/2023/05/open-sourcing-our-rust-crate-audits.html

robrich
5 days ago
Axel Rauschmayer
5 days ago

Is there a good linter for `package.json` (package exports, etc.)?
#npm #JavaScript #NodeJS

Markus Tacker
5 days ago

#npm is hiring in the US: Senior Software Engineer, npm at GitHub
https://boards.greenhouse.io/github/jobs/5063280

Pelle Wessman
6 days ago

Released a new very simple 25 lines of code #npm module that validates #conventionalCommits messages in eg. a #husky "commit-msg" #gitHook: https://github.com/voxpelli/validate-conventional-commit

Great for use with eg #releasePlease to achieve #npmProvenance on #GitHubActions

#npmRelease #newNpmModule

David Lohner
1 week ago

Ich würde gerne selbst Dienste/Apps auf unseren Servern installieren und betreiben können; kann aber mit Befehlen wie #npm-install oder Frameworks wie #nodejs und #Docker-Containern etc. nicht wirklich etwas anfangen. Das scheint mir aber die Grundlage zu sein, den Überblick zu haben.

Ganz konkret habe ich Services im Auge, die unsere Nextcloud mit einem Onlyoffice Server zu ergänzen, ggf. ein Moodle betreiben oder gar eine eigene Mastodon-Instanz hochziehen.
Wo fange ich da am besten an?

4/4

The Cybersecurity Librarian :donor:
1 week ago

This weekend PyPi, the python software repository, suspended new accounts: the level of malicious activity has become unmanageable.

But this story is not just about Python: the level of risk from software dependencies has risen unimaginably: not a little, not a lot, this is big enough that it is hard to communicate and comprehend.

Python (pypi), Javascript (npm), Java (maven), Ruby, and even VS Code extensions are all under constant unrelenting attack. When a single package is trojanized, that threat is inherited by every application that include the compromised package.

The number of methods being used for these attacks is growing, and developers are now a "target of choice" for many criminal groups.

For example, in 2022 there was a sudden increase in the number of an effectiveness of "Phishing as a Service" (PhaaS) offerings in criminal markets. These services are effective at bypassing MFA. However, you may not know that these services are being used to target developer accounts, including repositories of private and open-source software. They want to trojanize the code and create the next big software-supply-chain compromise.

PhaaS is just one method. This weekend's announcement from PyPi was the result of criminals creating a large number of developer accounts so that they can publish malicious clones of existing packages. Typosquatting of packages is not a new phenomena, the constant stream of attacks is new.

You might assume that the repository hosts or managers must have a solution. They do not. The problems are diverse and many: from the management of repository hosting, to the security/trust verification features of packaging systems, to the security of repositories and the developers themselves.

There is no one solution, but solutions are needed.

My action item for you is this. Do not read cybesecurity about software repository compromises in isolation. Look at the forest and not the trees. Big risks are harder to understand that little ones but need the most urgent action.

Below are a small selection of stories in the comments to get you started. This is just a tiny fraction of the stories I have read and analyzed in the past year. The "hits just keep on coming".

#SoftwareDeveloper #GitHub #PyPi #NPM #Java #Python #CyberSecurity #PhishingAsAService #ThreatIntelligence #CTI #PhaaS #TypoSquatting #VSCode #Malware #SoftwareSupplyChain

https://www.bleepingcomputer.com/news/security/pypi-temporarily-pauses-new-users-projects-amid-high-volume-of-malware/
https://www.zdnet.com/article/security-warning-for-software-developers-you-are-now-prime-targets-for-phishing-attacks/
https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-with-more-than-45k-downloads-steal-pii-and-enable-backdoors/
https://therecord.media/malware-found-in-npm-package-with-millions-of-weekly-downloads
https://blog.phylum.io/a-pypi-typosquatting-campaign-post-mortem/
https://www.zdnet.com/article/android-warning-these-malicious-apps-had-over-a-million-downloads-from-google-play/
https://www.bleepingcomputer.com/news/security/malicious-microsoft-vscode-extensions-steal-passwords-open-remote-shells/
https://www.bleepingcomputer.com/news/microsoft/vscode-marketplace-can-be-abused-to-host-malicious-extensions/

Screenshot of an announcement from the PyPI python repository that they are suspending registration of new accounts due to malicious activity.
BLACKVOID ⚫️
1 week ago

@drh Using #docker and #npm ( #nginx #proxy manager) if that will be of any help

ottoto
1 week ago

「開発者向けアラート: Node.js 用の NPM パッケージには危険な TurkoRat マルウェアが隠されています 」: The Hacker News

「不正なパッケージとその関連バージョンのリストを以下に示します。

nodejs-encrypt-agent (バージョン 6.0.2、6.0.3、6.0.4、および 6.0.5)
nodejs-cookie-proxy-agent (バージョン 1.1.0、1.2.0、1.2.1、1.2.2、1.2.3、および 1.2.4)、および
axios-proxy (バージョン 1.7.3、1.7.4、1.7.7、1.7.9、1.8.9、および 1.9.9)

https://thehackernews.com/2023/05/developer-alert-npm-packages-for-nodejs.html

#prattohome #TheHackerNews #npm #マルウェア

J👀
1 week ago

My company just received the new corporate #Website from the Web agency. It uses #NPM for dependencies. 250 MB of them for a single-page Website that uses less than 1MB.

What a funny world Website development is...

Mark Gardner ‍:sdf:
2 weeks ago

@georgeharito @randomgeek @codinghorror Oh, that was just the wake-up call that the script kiddies needed adult supervision. #npm got it in the form of being bought by #Microsoft-owned #GitHub. Careful what you wish for.

The punchline is that @isaacs wrote npm in reaction to how “terribly” #PHP’s #PEAR and #Perl’s #CPAN did package management.

Demotivational poster of a sinking ship captioned, “Mistakes: It could be that the purpose of your life is only to serve as a warning to others.”
Timo Tijhof
2 weeks ago

@nhoizey

The idea of publishing npm built-ins (mostly) as-is, is fairly common in relation to tools like browserify.

Those tools can't easily read the source code otherwise and/or the built-in version might not be standalone (eg rely on Node or V8 internals) in a way that would make it work in a browser environment. It also helps control which version is embedded in the build, which otherwise varies by developer env's Node version.

See also https://www.npmjs.com/package/events #nodejs #npm

Nicolas Hoizey
2 weeks ago

Why would anyone use the `path` package from npm instead of Node’s `path` module?

https://www.npmjs.com/package/path

Just found it in one of my own projects, where I'm the only contributor… 😅

#Node #npm

⚓️ https://nicolas-hoizey.com/notes/2023/05/12/1/

AveN7ers
2 weeks ago

Is #npm down? Bruh

shoutouts for unmoveable dotfiles/dirs go out to:

- vscode
- mozilla
- #npm's cacache (who literally closed my Issue on github about this)
- steam (three times)
- yarn (cache uses XDG_CACHE_HOME, but rc file can't be moved)
- adb (just ignores env var config)
- those .gtkrc files that ignore env var configs

I wrote a dumb article and now you have to suffer me linking to it: https://dev.to/tigt/how-to-succeed-in-open-source-without-really-trying-really-55pj

#svg #oss #npm

Import maps, the new browser standard, open up a world of possibilities for factoring and optimizing web pages and experiences. In this post, we explore one of them briefly: developing a static import-map-based #CDN to serve your #NPM packages. (https://bennypowers.dev/posts/import-map-cdn/)

Emelia 👸🏻
3 weeks ago

Hrm, #npm really needs a filter for "still maintained" because there's an utterly ridiculous number of packages that are just no longer maintained, which would be really good to filter from search results

kurtseifried (he/him)
3 weeks ago

So 5 years ago @joshbressers and I discussed the #NPM #leftpad situation https://opensourcesecurity.io/2023/05/07/episode-374-the-event-we-called-left-pad-episode-77-remaster-part-1/ TL;DR: Somethings have changed, the ecosystem owners are definitely doing a better job of minimizing harm, but we still have a ways to go.

VeganCheck.me
3 weeks ago

** Even better news for developers! **

We’re announcing our new #API Wrapper for #react
Git Repo → https://github.com/frontendnetwork/vegancheck-api-wrapper

Now on #npm:
Run → npm i @frontendnetwork/vegancheck
NPM → https://www.npmjs.com/package/@frontendnetwork/vegancheck

Estelle Platini
3 weeks ago

Julie #Gervais et Claire #Lemercier parlent des services publics et du cercle de la raison : "Le privé n’assiège pas l’État – après tout, les consultants répondent à des appels d’offres. Mais force est de constater qu’au terme de leur formation dans les grandes écoles nos très hauts fonctionnaires et nos dirigeants politiques sont convaincus de la supériorité du général sur le particulier, et font de la rentabilité financière un objectif central et universel, pour le public comme pour le privé. Cette foi préside ensuite aux règles de gestion des #servicesPublics. Les cadres qui veulent grimper dans la hiérarchie doivent aussi y adhérer."

https://www.telerama.fr/debats-reportages/deconnexion-du-terrain-injonction-au-profit-pourquoi-les-gouvernements-echouent-a-ameliorer-les-services-publics-7015430.php #LOLF #T2A #NPM #sociologie #colonialité #méritocratie #citation

Mike Goatly
3 weeks ago

Well this is a nice touch - #VSCode fetches the description and release date of #NPM packages when you hover over them in a package.json file.

VS Code editor for a package.json file. A tooltip is showing for the package called "remark-gfm". The tooltip says:

"remark plugin to support GFM (autolink literals, footnotes, strikethrough, tables, tasklists)

Latest version: 3.0.1 published 1 year ago"
Wolfy
3 weeks ago

Probleme de renouvellement de certificat Let's Encrypt NPM

Si vous rencontrez un souci sur la certification …

#npm #NginxProxyManager #pip #zope #lienstechsystemfr

https://liens.techsystem.fr/shaare/rI6pYQ
(Via https://liens.techsystem.fr/shaare/rI6pYQ)

AskUbuntu
3 weeks ago
Vincent Biret
4 weeks ago
Niklas Rosenqvist
1 month ago

Started playing around with #gtk, is there any way one can use #npm modules in #gjs? #gnome

I hate #npm and node_modules with all my being

it stopped working without a reason, it compiles fine on the server, not on my machine 🤦‍♀️

Lucas Santos
1 month ago

Esse é um dos vetores mais simples de ataque, porque você pode simplesmente usar tudo que já existe, só roubando uma chave. E por isso que o pessoal lá do #GitHub e do #NPM pensou em uma solução bastante interessante, as provenances.

Lucas Santos
1 month ago

Todo dia, muita gente pega um pacote aleatório do #NPM que aparentemente resolve um problema e começa a usar no seu projeto sem dar muito trabalho de pensamento em segurança ou auditoria. Isso é comum, e também uma das principais causas de problemas

Lucas Santos
1 month ago

O #NPM acabou de ficar mais seguro através do PACKAGE PROVENANCE. Que é uma das formas para melhorar o que a gente chama de supply chain security.

Bora entender como isso impacta DEMAIS o ecossistema #dev e #nodejs

Segue o fio que eu vou te contar uma história 🧵

People just use yarn because they don't want to type "run" when they run package scripts. #nodeJS #node #js #javaScript #npm #webDev

haliphax 👾
1 month ago

Managed to get my #Glitch startup time down to ~5 seconds from ~15 seconds with a combination of two things:

- A webhook in the deployed app that's triggered whenever a push event happens, which force-pulls from the "glitch" branch if conditions are met

- A #GitHub workflow that trims and packages the repository then force-pushes to the "glitch" branch to eliminate the package installation step when Glitch is refreshed

#dev #npm #NodeJS #WebDev #TypeScript #javascript #perf

Zackery Fretty 🚲
1 month ago

npm install looking at my available storage.

#npm #webdev #javascript

Doug Parker
1 month ago

@thePunderWoman I guess #NPM does use "bin" as referring to executables, which is kind of the same mistake? Though that's usually not used when referring to a build output.

Matthew Graybosch
1 month ago

I've been updating my site at https://starbreaker.org/ with #IndieWeb #microformats.

#IndieAuth for starbreaker.org works.

h-card is implemented.

https://indiewebify.me/validate-h-card/?url=https%3A%2F%2Fstarbreaker.org%2F

h-entry validation still needs a bit of work.

https://indiewebify.me/validate-h-entry/?url=https%3A%2F%2Fstarbreaker.org%2Fblog%2Fspiral-architect%2Fchapter-003%2F

And I haven't gotten around to #WebMentions yet, but there's a #npm package I can run on one of my machines at home as a cron job to check my #RSS feed and send them. Receiving them will entail some more work...

thomas 🌸
1 month ago

Sitting outside in soho applying for jobs signaling to the world I am a programmer. #deno #node #javascript #ipfs #npm #jobs

laptop with a bunch of coding stickers on it
Tane Piper
1 month ago

I've officially released my first #webComponent on #npm - Formula - https://www.npmjs.com/package/@webhelpers/formula

It works with any static HTML5 form and turns into a Reactive Form, all you need to do is wrap the form in `<formula-form>` and it starts working - Demo here https://stackblitz.com/edit/vitejs-vite-skkuff?file=index.html

#webComponents #webDev #html #ReactiveForms #opensource

Increase trust in your #npm packages and improve supply chain #security with #GitHub Actions https://github.blog/2023-04-19-introducing-npm-package-provenance/

Daniel Roe :nuxt:
1 month ago

Well, this is *very* nice. Provenance statements on #npm for releases that can be traced back to specific commits + build scripts.

A npm package display showing the provenance of a package released as part of the Nuxt Edge Channel.

I'm of the habit of *always* installing NPM deps as `devDependencies` because I'm never publishing NPM packages, so all my dependencies are build-time. It's a pain when I accidently forget the -D and it creates a `dependencies` array in my package.json. #node #nodejs #javaScript #js #npm #npmrc #web #webDev #programming #developer

So I add this to my .npmrc's now:

screenshot of editor with .npmrc opened with the line "save-dev=true" added
Markus Tacker
1 month ago

#npm now allows to link a published package to the exact source it was built from:
https://github.blog/2023-04-19-introducing-npm-package-provenance/

"when you build your #NPM projects on GitHub Actions, you can publish Provenance alongside your package"

https://github.blog/2023-04-19-introducing-npm-package-provenance/

Say I've got a handful of #NPM packages, and they share a few common dependencies, and a list of versions for each package, so:

```
a@1.0.0
a@1.1.0
b@1.0.0
b@1.0.1
```

I need to generate the smallest number of #semver-compatible bundles of the shared dependencies.

So given a list of specific package specs, I need a function that returns a list of highest-semver-compatible dep specs

in: `[ 'a@1.0.0', 'b@2.0.0',]`
out: `['dep-a@1.2.3', 'dep-b@1.1.0']`

Is there already a tool that can do that?

Axel Rauschmayer
1 month ago

“Flat node_modules is not the only way” by @zkochan
[How pnpm manages node_modules]
https://pnpm.io/blog/2020/05/27/flat-node-modules-is-not-the-only-way
#NodeJS #npm #pnpm

Tane Piper
1 month ago

Also, released the #npm module just to get it available so I could build the demo - and it's already got over 150 downloads without any advertising it 🤔

A screenshot from NPM
Emelia 👸🏻
1 month ago

If you're looking for an alternative to cross-fetch that has node.js 18+ support (for native fetch), then you might be interested in this from my former employer: https://github.com/inrupt/universal-fetch

Or:

npm install @inrupt/universal-fetch

#nodejs #npm

Jan :rust: :ferris:
1 month ago

Urgh, there are a gazillion monaco-editor-vue3 packages on npm.

How should you find the right one?

Does anyone have a recommendation?

Or maybe a lighter-weight alternative to monaco?

Edit: @niklaskorz has recommended #CodeMirror, which looks great! Thank you! ❤️

https://www.npmjs.com/package/vue-codemirror

#npm #Vue #VueJS #Vue3 #JavaScript #MonacoEditor

Matthew Martin ☑ ✅📛
1 month ago

Why is the user experience for #npm and #pip so awful when you have to deal with private repos?

Both tools like to make it impossible to install anything when a credential expires/repo is unreachable and you get useless error messages and have to spend hours googling/ asking 6 people before you find which config file (local? global? other?) has the ref to the private repos

https://www.hanselman.com/blog/everythings-broken-and-nobodys-upset

Okay it's been 6 years: we should probably have a long discussion on how #Prettier is the most successful #JavaScript project of the last decade

It knows exactly what it is and isn't, never breaks on me, is incredibly missed when it's not there. Unproblematic king 👑

#nodejs #js #webDev #webDevelopment #frontEnd #web #npm #node #programming

3 years ago

First #GitHub now #npm 😪 🤮

Are we really giving Open-Source all into one giant coorps hands?

https://github.blog/2020-03-16-npm-is-joining-github/