#npm
I'm hacking on my resume and thought JSON Resume would be a good way to codify it instead of having it locked up inside of LinkedIn or in a stupid Microsoft Word document.
JSON Resume has a theme concept, but with 438 available themes and no way to view them all online, it's a bit much work testing them one by one. "Script it!" I thought, but `npm search` only returns 20 results and there's no way around it:
https://github.com/npm/cli/issues/1211
As https://www.npmjs.com/ does pagination, it requires a lot of manual steps or intricate scripting to get a full list. However, https://npms.io/ has infinite scroll, so searching and scrolling to the bottom a few times, works.
Then, the following JS snippet in the browser console gives me the name of all 438 JSON Resume themes:
```js
Array.from(document.querySelectorAll('.results-list-item .headline a'), a => a.innerText)
```
Now it's easy to plop the results into a text file and iterate. I love yak shaving! 🐂🪒
Der JavaScript-Paketmanager #npm wird massiv mit Packages geflutet, die SEO-Spam enthalten und Nutzer in die Irre führen sollen. https://winfuture.de/news,135439.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia
Just realized I misspelled the "packageManager" key in my package.json when I migrated to pnpm. There is still no way to use semver in that key after all. People started putting their ^ at the start because it doesn't fail the regex used in vscode, but this doesn't work at all and will just make corepack fail. #pnpm #npm #vscode #node
#Development #Findings
One in two new npm packages is SEO spam right now · Just README files with links to various malicious websites https://ilo.im/120gj2
_____
#Npm #PackageManager #WebDevelopment #WebDev #JavaScript #NodeJS #Security #Malware #Spam
"One In Two New Npm Packages Is SEO Spam Right Now"
https://blog.sandworm.dev/one-in-two-new-npm-packages-is-seo-spam-right-now
50% of new #NPM packages are spam:
https://blog.sandworm.dev/one-in-two-new-npm-packages-is-seo-spam-right-now
"That is - empty packages, with just a single README file that contains links to various malicious websites."
🪲 VSCode hack shows how supply chain attacks can extend to other software development tools
👉 Extensions are developed in Node.js
👉 Malicious npm packages to extensions
👉 Infected extensions & Auto update
Is there an issue with #npm? I'm running `npm audit fix` and it takes ages doing nothing as far as I can tell by looking at CPU and Network usage 🤷♂️
All turned to rain and my afternoon saved by
“Skolan efter marknaden
Om skolans och lärarrollens framtid”
(That last part was the assignment all the authors got)
Loots of reviews of this already so I’ll not be disappointed. I love the title
@asaplsnr @Skolinkvisition


@davidcrespo How is the interop with #npm / larger ecosystem these days? Deno looks so amazing but every time I want to try it I get scared off by the (seemingly) relative lack of packages

Como instalar #NodeJS en #Windows con #winget
From my understanding you can basically put any file character except a slash in a #Unix file path, so fundamentally any input which accepts both a package and a file is fundamentally ambiguous. The only way to avoid that would be something like:
```
import 'pkg:foo.js';
// VS
import 'file:foo.js';
```
(And `file:` needs to be *required* for file paths.)
I do feel like it could at least be made less of an issue if #NPM packages had a special character convention. For example, if the leading `@` was required even for unscoped packages, then you'd import with:
```
import '@foo.js'; // Package
// VS
import 'foo.js'; // File
```
Ultimately you could still name a file `@foo.js`, so there is definitely ambiguity. However it would be significantly less common of an issue in practice.
#TIL that you can run `npm version patch` to do a patch (or minor, major etc) version increment which will update your package.json file and create a new git tag. Very cool.
#javascript #typescript #opensource #foss #fosstodon #npm #git #github #pnpm
So far I've used good ol' #NPM for all my JS/TS projects. Lately I've been eying #PNPM, mostly because installs are much faster, although the disk space savings are nice too.
However, I am not 100% convinced that it's the best decision as it's yet another thing that the whole team has to install. One more barrier before you can get the code up and running as a new dev on the team.
Is it worth it? I'm 50/50, can't really decide.
Some days later I now wrote this script to create a somewhat "isolated" environment for #npm #webdev #pip #dev
https://gist.github.com/iameru/4ec933eddd4c44f02da04a97a29b6342
Feel free to use and tell me if you find an error please :)
Blah, so even the CLI for #VSCode Dev Containers requires that #NPM is installed, or you are using VSCode, or compile from source. https://code.visualstudio.com/docs/devcontainers/devcontainer-cli 🤦♂️
@codebyjeff Laradock seems like DDev(https://ddev.readthedocs.io/en/latest/) which is also geared towards the main source code being the main website/application. There is an aspect of needing a #WordPress install for testing and such but that isn't the main source code. I've tried to use the `@wordpress/env` #NPM package in the past but it also assumes/requires Node/NPM to be installed on the machine, along with all of the build stuff to be run via a local NPM install.
@codebyjeff well, so I need build tooling such as #NPM & #Composer but I don't want to maintain the versions of those on my own machine I want them version controlled with my source code, for use by other developers for maintenance. Also, this is like "module" code (plugins & themes) that aren't an entire site itself. Most of the #Docker tools out there assume that your source code is a fully functional application.
So #WordPress plugin, or theme, Devs. Is there a #Docker only local plugin(or theme) development environment available? Something that doesn't require me to maintain #Node, #NPM, #PHP, or #Composer on my local machine? Perhaps #VSCode Dev Containers is the closest I'm going to get but I don't want the #IDE lock-in either, as I don't even use VSCode. I've been playing with just a Dockerfile & docker-compose.yml but it has some usability issues currently.
Is there a database that classifies NPM library vulnerabilities as affecting only the server side or only the client side?
https://security.stackexchange.com/questions/269258/is-there-a-database-that-classifies-npm-library-vulnerabilities-as-affecting-onl
#cve #npm
99 problems and a #JavaScript package manager ain't one! #npm #yarn #pnpm
#TIL that "npm ci" means "npm clean-install". I always thought it was an #npm command for #continuousIntegration #ciCd #node #nodejs #javaScript
Speeding up the JavaScript ecosystem – npm scripts
https://marvinh.dev/blog/speeding-up-javascript-ecosystem-part-4/
#ES_Next_News #ECMAScript #JavaScript #npm
Introducing “safe npm”, an npm wrapper by Socket
https://socket.dev/blog/introducing-safe-npm
#ES_Next_News #ECMAScript #JavaScript #npm
https://npmjs.com/set-cookie-parser now supports fetch()'s new getSetCookie() API, to provide easier and more reliable access to uncombined Set-Cookie headers.
(Multiple Set-Cookie header values were combined into a single comma-separated string previously, which is tricky to parse since the values can also contain commas!)
#Node.js supports the API, #deno has an open PR, and hopefully #ReactNative will roll out support sometime soon.
See https://github.com/whatwg/fetch/pull/1346 for more.
I just launched a utility to help format Tailwind CSS classes for readability while minimizing whitespace rendered in the DOM. This utility has support for inline C-style comments within the class lists to help document complex styles. View this project on GitHub and install via NPM. I hope someone finds this helpful. Feel free to offer suggestions for improvement.
https://github.com/goldenpathtechnologies/tagged-classnames
https://www.npmjs.com/package/tagged-classnames
#TailwindCSS #WebDevelopment #WebDev #TypeScript #ClassNames #GitHub #NPM #JavaScript
The main reason I like #Deno over #NPM is that each file can act as a full "package". If the file defines all its dependencies, then it's readily usable from other packages with simple URL import.
This means you could build an awesome library, and not need to worry about splitting it into multiple smaller libraries.
The second best feature is no node_modules.
npm-installed modules: In principle, it should be possible to generate an import map for a given package.json so that code works in web browsers without any kind of building.
Has anyone written a tool that does that?
https://dev.to/siddharthshyniben/3-ways-to-import-node-modules-in-deno-3fo4 - 3 ways to import #node #npm modules in #deno. Great quick tip https://github.com/SiddharthShyniben.
Do not tell my $CURRENT_EMPLOYER I share this with you, but here's a gem I wrote at the troubleshooting page of our Development Setup while dealing with #node #npm & #javascript

Our industry is an embarrassment. This one man has been providing the entire fucking World Wide Web with compatibility for roughly $2/hr for a DECADE. And still microsofts, apples, amazons et al., who were able to pocket HUNDREDS OF BILLIONS of dollars off the back of this ONE man’s labor, don’t pay him shit; for years his biggest backer had been a tiny #FOSS project.
This is shit, our industry is shit, and we are shit.
#webdev #JavaScript #Web #npm #github #opensource
https://github.com/zloirock/core-js/blob/master/docs/2023-02-14-so-whats-next.md

@fediversenews
The latest version of the Vue ActivityPub Timeline comes with the following new features
👉 Loading icon that works with light and dark theme
👉 Dialog that shows the post thread (ancestor and descendants of the post) in a dialog on the same page
👉 Videos are shown as image preview. On click the video opens in a new tab
see https://www.npmjs.com/package/@networld-to/vue-ap-timeline
500 weekly downloads 💻👍
How do you isolate your dev environment? Do you?
regarding #webdev or #dev In general. When using f.e. react, next or even just axios I got a ton of #npm modules installed in the JS ecosystem. Same with python #pip (though it seems a lot friendlier).
Now these packages sometimes become a security risk for my computer, my data, potentially life.
That's why I think we should all get a secure but ideally hastle free way to code.
How do you do it or do you have an idea? Pls boost!
Simple Scaffold v1.1.3 is out, with no Windows bugs* this time!
* that I know of
I’ve blogged my npm troubleshooting guide here — 10 easy steps
If you want to npm install a specific branch of your Node module from @Codeberg, you can do:
npm install git+https://codeberg.org/<organisation>/<repository>.git#<branch name>
e.g., npm install git+https://codeberg.org/small-tech/hyperscript-to-html-string.git#escape-newlines-in-attributes
I'm in a dilemma, and I need the #advice from the #Linux #Mastodon community. I want to move from rolling release #Arch based #endeavouros to a more stable (maybe a bit gaming-focused) distro. I'm between 2: #NitruxOS and #Nobara.
Plus:
Nitrux:
- #Debian based (I have some expierience)
Nobara:
- #gaming foced
Minus:
Nitrux:
- Uses MauKit & I prefer the #KDE apps
- Latte for which I'm conserned because it's abandoned
Nobara:
- Uses #npm (No experience)
What should I choose?
My bad, I accidentally ran npm config set registry http:// registry.npmjs.org --global instead of *https* while troubleshooting. 🤦♂️
All good now :)
I agree completely with @darth_mall
https://darthmall.net/weblog/2023/npms-effect-on-dev-workflow/
"40x faster than NPM" is a pretty nice claim, innit? #orogene
This is the "warm cache, existing package-lock.kdl" scenario, which is most common in CI setups that support caches, as well as when switching between branches that you've previously installed dependencies for.
So yeah, this is fast enough that I think I could have orogene provide a git hook that automatically reinstalls your node_modules on branch switch.
Oh, and this is all hard links, deduplicated by content hash, so you only have exactly one copy of a file in your entire system, ever.
I'm also pretty pleased that oro is almost twice as fast as bun, which is known to be screaming-fast. 😎
One of my favorite moments while working on #NPM was benchmarking things in pre-5.0 NPM and realizing the package cache was doing absolutely nothing. Zilch. It didn't have any effect whether you enabled it or not. It was just a bug farm.
I have a Google Cloud Build-based CI/CD which is triggered from a GitHub repo - it runs tests then publishes to npm.
Everything works fine except when Dependabot creates a PR because npm publish fails because the package version isn't updated.
Anyone got a way to fix this? It's not the end of the world but feels like it should be automate-able.
Boosts would be much appreciated.
#CICD #NPM #GoogleCloudBuild #webDev
This looks neat:
https://sandworm.dev/
Hovering over an #npm dependency in #WebStorm produces a helpful little popup from the readme. Neat. #JavaScript #TypeScript
What are the best practices when packaging Python + JavaScript projects? I know that @Jupyter is using Hatch and created a custom extension. Are there other examples? Asking for kedro-viz https://github.com/kedro-org/kedro-viz
TypeScript/JavaScript devs:
How willing are you to change your habits and assumptions, for the sake of a faster and cleaner workflow?
For example, what if you could no longer assume that node_modules are regular files you can load, and instead are meant to be consumed by resolvers (bundlers, node.js, etc)?
What if node_modules/.bin wasn't a thing you could just poke at?
What if the way peerDependencies worked changed on you, or if a new type of dependency was introduced?
Assuming, of course, that all of these involve significant advantages.
I've finally gotten around to making a project board/"roadmap" for #orogene!
Please check it out, and let me know if there's anything you really wish orogene would do that you don't see on the list!
lol
when you (aka me) are prompted by #npm to upgrade to a newer version and (in a temp lapse of judgment) decide to do so.
of course, npm won't update itself to a version that isn't compatible with the version of #node npm is running in, right? right?!
now I have npm 9 (not) running on node 13. 😂
np, I'll downgrade node: `npm i -g npm@8`
"ERROR: npm 9.5 is known not to run on Node 13.14"
Good thing I had #nvm installed:
`nvm uninstall 13.14.0`
`nvm install 13.14.0`
Life is good again.
Is it useful to have releases in GitHub for projects that are always installed from npmjs? 🤔
Asking for example for a pet project (which is also a mono-repo).
- GitHub: <https://github.com/nhoizey/images-responsiver/releases>
- npm:
- `images-responsiver`: <https://www.npmjs.com/package/images-responsiver>
- `eleventy-plugin-images-responsiver`: <https://www.npmjs.com/package/eleventy-plugin-images-responsiver>
So I finally figured out how to deal with some mystery slowness during file extraction in #orogene, and managed to get full extraction working and it is:
👉🏻 4x faster than #pnpm
👉🏻 4x faster than #yarn
👉🏻 3x faster than #npm
...and these are just some initial numbers! There's still some stuff I'm sure I haven't tried to do yet that could bump that further.
On my machine, this means it can fully resolve and install a react app in 11 seconds.
v v exciting results so far.
RxJS has crazy a lot weekly downloads on npm: more than 47 million!
See the RxJS stats on npm: https://www.npmjs.com/package/rxjs
I wonder: Who uses it? In which context?
A well known context is Angular (RxJS is a peerDependency of Angular). But that can only be a small portion. Angular core has 3.3M weekly downloads: https://www.npmjs.com/package/@angular/core
#Opensource funding challenge:
Go into your main project and, assuming it uses #npm, run “npm fund”
Pick 5 projects that don’t seem well-funded, and donate to them
Just did so (admittedly using “npm fund” for the first time), donating a little to @ljharb, @sindresorhus, @fb55@twitter.com, @paulmillr, and @wooorm
(Consider boosting to encourage more contributions)