Waseem
@iamwaseem@mastodon.social
It's been some weeks with npm exploits. But there is a fix, Deno's limited permissions can help here.
https://deno.com/blog/deno-protects-npm-exploits
#npm
Waseem
@iamwaseem@mastodon.social
It's been some weeks with npm exploits. But there is a fix, Deno's limited permissions can help here.
https://deno.com/blog/deno-protects-npm-exploits
Waseem
@iamwaseem@mastodon.social
It's been some weeks with npm exploits. But there is a fix, Deno's limited permissions can help here.
https://deno.com/blog/deno-protects-npm-exploits
Daemon Silverstein
@dsilverz@calckey.world
#NPM from #Node.js ended up in the hands of Microsoft.
#RubyGems from #Ruby ended up in the hands of a nazi libertarian.
It feels like #OSS and #FOSS are being attacked on a daily basis.
Do anyone have information regarding #PyPi from #Python, is it also compromised? As far as I know, PyPi stopped working with pip search ("Use the browser") and the website needs JS to function (because it uses some PoW browser checking), so using Lynx or elinks as a sysadmin on a terminal-only machine in order to search for Python packages have been a no-no. Wonder how much it's due to similar phenomenon going on with Ruby and Node.js ecosystems.
Kat Marchán 🐈
@zkat@toot.cat
cross-posting my little rant about #npm #npmattack #javascript #typescript stuff here:
Random NPM thoughts of the day:
- The primary NPM registry should be obsoleted entirely ASAP
- JSR does not do anywhere near as much as it should, and it's probably too late to fix.
- A proper successor must only support "standard" JS, though temporarily accepting "strippable types" is ok rn
- All packages MUST be ESM (JSR ok here)
- MUST include docstrings on all publicly-reachable interfaces.
- MUST NOT include any type of dependency other than a named registry dependency with a semver version (no git deps etc)
- MUST have a non-trivial README.
- MUST be tied to a PUBLIC repo.
- MUST NOT have install scripts (yeah sorry, the fight's over)
- MUST clearly include a license, even if the license is "source available, not open source". This restriction MUST NOT limit to OSI's ridiculous list.
- MUST have a name that is scoped to its publishing user/org (@foo/bar)All of the above constraints MUST be checked at publish time.
Furthermore, the registry MUST provide the following, based on this:
- Full browsable (published) package sources, right on the site. With linkable paths. None of this absolute trash NPM decided to do.
- Autogenerated API docs.
- Lower-traffic packages that have not had a new version in 6 months should be completely delisted. They can be installed, with a warning printed.
- Usernames/org names and package names must employ a suitably-aggressive levenshtein distance for potential conflicts. This should be aggressive.
- Packages cannot be transferred between accounts, and it's against policy to allow others access to your personal account. Orgs can work around this.
- Top 1000 packages (maybe more) have all new publishes put on hold for 7 days, and placed into a public review queue, overridden by [tbd?staff?]
- Y'all aren't gonna like this but: package installation should be reasonably throttled. Both to keep costs down, and to encourage people to do something less lazy than "I'm just going to install all 2k dependencies on CI every time I push a docs change". It's wasteful and harmful for many reasons.
I think that's all I got off the top of my head for now.
There's honestly a lot of stuff that could be done on the client side to make life better, too, and y'all know I have a ton of thoughts on that, but I wanted to rant about registries for a bit, esp now that the NPM registry is crumbling.
Tane Piper
@tanepiper@tane.codes
Oh no, not again... a meditation on #NPM supply chain attacks
https://tane.dev/2025/09/oh-no-not-again...-a-meditation-on-npm-supply-chain-attacks/
Tane Piper
@tanepiper@tane.codes
Oh no, not again... a meditation on #NPM supply chain attacks
https://tane.dev/2025/09/oh-no-not-again...-a-meditation-on-npm-supply-chain-attacks/
derekheld
@derekheld@infosec.exchange
A bunch of packages published by qix in NPM just got backdoored it looks like. Obfuscated code was added like two hours ago. #threatintel #npm
Emelia 👸🏻
@thisismissem@hachyderm.io · Reply to Emelia 👸🏻's post
Also, npm now supports trusted publishing: https://docs.npmjs.com/trusted-publishers
This means you don't need a static token in your CI/CD configuration anymore.
Emelia 👸🏻
@thisismissem@hachyderm.io
Pro-tip for npm: rather than using a classic access token in your ~/.npmrc file, generate a granular access token that only has read permissions.
That way if something does compromise you, they only get access to the read token and cannot publish on your behalf.
derekheld
@derekheld@infosec.exchange
A bunch of packages published by qix in NPM just got backdoored it looks like. Obfuscated code was added like two hours ago. #threatintel #npm
Ben Hardill
@ben@hardill.me.uk
Ben Hardill
@ben@hardill.me.uk
洪 民憙 (Hong Minhee)
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
洪 民憙 (Hong Minhee)
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
洪 民憙 (Hong Minhee)
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
洪 民憙 (Hong Minhee)
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
洪 民憙 (Hong Minhee)
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
洪 民憙 (Hong Minhee)
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
洪 民憙 (Hong Minhee)
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
洪 民憙 (Hong Minhee)
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
洪 民憙 (Hong Minhee)
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
洪 民憙 (Hong Minhee)
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
洪 民憙 (Hong Minhee)
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
洪 民憙 (Hong Minhee)
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
BastilleBSD 
@BastilleBSD@fosstodon.org
Are npm packages and dependencies an unmitigated disaster, or is it just me?
Alex0007
@Alex0007@mastodon.social
lil5 
🚲 🇳🇱
@lil5@social.linux.pizza
| Option | Voters |
|---|---|
| Deno | 4 (57%) |
| Bun | 3 (43%) |
skry
@skry@mastodon.social
“slopsquatting, a new term for a surprisingly effective type of software supply chain attack that emerges when LLMs “hallucinate” package names that don’t actually exist. If you’ve ever seen an AI recommend a package and thought, “Wait, is that real?”—you’ve already encountered the foundation of the problem.
And now attackers are catching on.”
The Rise of Slopsquatting: How #AI Hallucinations Are Fueling... https://socket.dev/blog/slopsquatting-how-ai-hallucinations-are-fueling-a-new-class-of-supply-chain-attacks #npm #dev #infosec
Edit: more info: https://www.bleepingcomputer.com/news/security/ai-hallucinated-code-dependencies-become-new-supply-chain-risk/
skry
@skry@mastodon.social
“slopsquatting, a new term for a surprisingly effective type of software supply chain attack that emerges when LLMs “hallucinate” package names that don’t actually exist. If you’ve ever seen an AI recommend a package and thought, “Wait, is that real?”—you’ve already encountered the foundation of the problem.
And now attackers are catching on.”
The Rise of Slopsquatting: How #AI Hallucinations Are Fueling... https://socket.dev/blog/slopsquatting-how-ai-hallucinations-are-fueling-a-new-class-of-supply-chain-attacks #npm #dev #infosec
Edit: more info: https://www.bleepingcomputer.com/news/security/ai-hallucinated-code-dependencies-become-new-supply-chain-risk/
Richie Khoo
@richiekhoo@hachyderm.io
Package Manager for Markdown
I'm working on a project that is intended to encourage folk to make markdown text files which can be bundled together in different bundles of text files using a package manager.
Question for coders; Which package manager would you suggest I use?
Main criterias (in order) are:
1. Easy for someone with basic command line skills to edit the file and update version numbers and add additional packages.
2. All being equal, more commonly and easy to setup is preferred.
#Markdown #CommonMark #PackageManager #Programming #Dev
#NPM #RubyGems #Cargo #PickingAMastodonInstance
#Ruby #Python #Rust #Javascript #NodeJs #Lisp #CommonGuide
Maho Pacheco 🦝🍻
@mapache@hachyderm.io
Rust cargo is the new npm-packages lol
Chee Aun 🤔
@cheeaun@mastodon.social
Huh, Runkit has been gone for few months and npm pages are still linking to it https://github.com/orgs/community/discussions/141424
The forum is also filled with reports and spam https://discuss.runkit.com/ 😥
Deno
@deno_land@fosstodon.org
Are you still using npm transpile services like esm.sh and unpkg.com?
❌ dependency deduplication
❌ install hooks and native add-ons
❌ loading data files
Here's why we recommend importing npm packages natively via npm specifiers 👇
https://deno.com/blog/not-using-npm-specifiers-doing-it-wrong
Inautilo
@inautilo@mastodon.social
#Development #Launches
SQL Noir · A game to learn SQL by solving crimes https://ilo.im/162ciw
_____
#OpenSource #Game #Database #SQL #MySQL #SQLite #PostgreSQL #Npm #WebDev #Backend
Inautilo
@inautilo@mastodon.social
#Development #Launches
SQL Noir · A game to learn SQL by solving crimes https://ilo.im/162ciw
_____
#OpenSource #Game #Database #SQL #MySQL #SQLite #PostgreSQL #Npm #WebDev #Backend
Emelia 👸🏻
@thisismissem@hachyderm.io
ALT text details
Screenshot of the user or organisation profile for npm on the npm registry showing 64,788 packages all from different authors.Deno
@deno_land@fosstodon.org
Are you still using npm transpile services like esm.sh and unpkg.com?
❌ dependency deduplication
❌ install hooks and native add-ons
❌ loading data files
Here's why we recommend importing npm packages natively via npm specifiers 👇
https://deno.com/blog/not-using-npm-specifiers-doing-it-wrong
⚯ Michel de Cryptadamus ⚯
@cryptadamist@universeodon.com · Reply to @reiver ⊼ (Charles) :batman:'s post
@reiver i built on #fedialgo to make a customizable feed algorithm that is pretty much how i interact with #mastodon these days. it's available as an #npm package.
here's the demo app: https://github.com/michelcrypt4d4mus/fedialgo_demo_app_foryoufeed
this is what the demo app looks like:
#CustomFeeds #FediDevs #FediverseCustomFeeds #FediverseFeeds #FediverseUX
ALT text details
screenshot of fedialgo in action⚯ Michel de Cryptadamus ⚯
@cryptadamist@universeodon.com · Reply to @reiver ⊼ (Charles) :batman:'s post
@reiver i built on #fedialgo to make a customizable feed algorithm that is pretty much how i interact with #mastodon these days. it's available as an #npm package.
here's the demo app: https://github.com/michelcrypt4d4mus/fedialgo_demo_app_foryoufeed
this is what the demo app looks like:
#CustomFeeds #FediDevs #FediverseCustomFeeds #FediverseFeeds #FediverseUX
ALT text details
screenshot of fedialgo in action
Szymon Standarski
@standarski@mastodon.social
🚀 npm install vs. npm ci
• npm install: 📦 Installs dependencies from package.json, updates package-lock.json if needed. Flexible but slower.
• npm ci: ⚡ Clean, fast install based only on package-lock.json. Reproducible builds, perfect for CI/CD.
💡Tip: Use npm ci for consistent, reliable deployments! ✅
#javascript #npm
Szymon Standarski
@standarski@mastodon.social
🚀 npm install vs. npm ci
• npm install: 📦 Installs dependencies from package.json, updates package-lock.json if needed. Flexible but slower.
• npm ci: ⚡ Clean, fast install based only on package-lock.json. Reproducible builds, perfect for CI/CD.
💡Tip: Use npm ci for consistent, reliable deployments! ✅
#javascript #npm
Deno
@deno_land@fosstodon.org
Deno 🤝️ Nuxt.js
Deno
@deno_land@fosstodon.org
Deno 🤝️ Nuxt.js
Deno
@deno_land@fosstodon.org
Deno 🤝️ Nuxt.js
Deno
@deno_land@fosstodon.org
Deno 2.1.5 just landed —
▸ new QUIC API
▸ improved Discord.js compatibility
▸ better tasks support in workspaces
Deno
@deno_land@fosstodon.org
Deno 2.1.5 just landed —
▸ new QUIC API
▸ improved Discord.js compatibility
▸ better tasks support in workspaces
Deno
@deno_land@fosstodon.org
Deno 2.1.5 just landed —
▸ new QUIC API
▸ improved Discord.js compatibility
▸ better tasks support in workspaces
Deno
@deno_land@fosstodon.org
Deno 2.1.5 just landed —
▸ new QUIC API
▸ improved Discord.js compatibility
▸ better tasks support in workspaces
Deno
@deno_land@fosstodon.org
Deno is committed to web standards - that's why we co-founded WinterCG two years ago. Today marks the next step in that journey: WinterCG moves to Ecma International as technical comittee 55 (TC55).
Goodbye WinterCG, welcome WinterTC!
Deno
@deno_land@fosstodon.org
Deno is committed to web standards - that's why we co-founded WinterCG two years ago. Today marks the next step in that journey: WinterCG moves to Ecma International as technical comittee 55 (TC55).
Goodbye WinterCG, welcome WinterTC!
Deno
@deno_land@fosstodon.org
Deno 2.1.5 just landed —
▸ new QUIC API
▸ improved Discord.js compatibility
▸ better tasks support in workspaces
Deno
@deno_land@fosstodon.org
Deno is committed to web standards - that's why we co-founded WinterCG two years ago. Today marks the next step in that journey: WinterCG moves to Ecma International as technical comittee 55 (TC55).
Goodbye WinterCG, welcome WinterTC!
Deno
@deno_land@fosstodon.org
Deno is committed to web standards - that's why we co-founded WinterCG two years ago. Today marks the next step in that journey: WinterCG moves to Ecma International as technical comittee 55 (TC55).
Goodbye WinterCG, welcome WinterTC!
Deno
@deno_land@fosstodon.org
Thank you for your support in helping us reach 100,000 GitHub stars! ⭐️
Deno
@deno_land@fosstodon.org
Thank you for your support in helping us reach 100,000 GitHub stars! ⭐️
Deno
@deno_land@fosstodon.org
Deno can now finally be installed through npm!
npm install -g deno
npx deno eval -p 1+2
tea 🌺
@thomasreggi@indieweb.social
Would love thoughts and feedback on my Future / deferred promise library:
https://www.npmjs.com/package/@reggi/future
Be kind ❤️
#JavasScript #js #npm #package #module #opensource #ts #typescript
Deno
@deno_land@fosstodon.org
Easily check for outdated dependencies with `deno outdated` 👇️
ALT text details
Deno outdated will check for outdated dependencies.Deno
@deno_land@fosstodon.org
this wren wants to remind you that Deno permission flags have shorthands
ALT text details
deno permission flags have shorthandsDeno
@deno_land@fosstodon.org
Deno 2.1 is out 🎉️
✈️️ first class Wasm support
🌳️ Long Term Support branch
⭐️ Improved dependency management
and much more!
#deno #node #javascript #nodejs #typescript #webdev #npm #wasm
Angelika Cathor
@angelikatyborska@mas.to
I wrote my thoughts on how to decide what's a regular dependency and what's a dev dependency in a JavaScript app (not library). It's surprisingly unclear... https://angelika.me/2024/11/11/dependencies-vs-dev-dependencies-javascript-apps/
Deno
@deno_land@fosstodon.org
Deno is a JavaScript package manager with more flexibility:
📦️ npm and JSR
🛠️️ package.json and deno.json
👟️ fast
Deno
@deno_land@fosstodon.org
The 🦕️ is out of the bag...
Deno
@deno_land@fosstodon.org
Curious about how the JSR logo and website design came together? 🤔️
Here's a 👀️ into our design process.
https://deno.com/blog/designing-jsr
#deno #node #javascript #typescript #webdevelopment #npm #jsr
Deno
@deno_land@fosstodon.org
Deno 1.46 is not only the last 1.x release, but also one of the biggest:
- Simpler CLI
- Multi-threaded web servers
- HTML, CSS, YAML support in `deno fmt`
- Better Node/npm compat (support for playwright, google-cloud, etc.)
and much more 👇️
Deno
@deno_land@fosstodon.org
Deno is known for its HTTP imports, but we've found it's insufficient for larger projects. This post explains the situation and how we've improved it.
Deno
@deno_land@fosstodon.org
std/data-structures, common data structures including red-black trees and binary heaps, is now stabilized at v1 on JSR
Fedify: ActivityPub server framework
@fedify@hollo.social
The fedify command is now available on #npm! You can install it using the following command:
npm install -g @fedify/cli
Or if you use #Bun:
bun install -g @fedify/cli
NosirrahSec 🏴☠️
@NosirrahSec@infosec.exchange
CVE-2023-49210 - node-openssl, this sounds like a malicious node package and it's just now popping in Defender Vulnerability Management inventories.
Did we miss some big story about this or is this just a case of the NVD backlog catching up and thus downstream ingestion of that information is just now making it to the masses?
I figured a malicious OSS package/update getting put into the ecosystem would be a hot article after the #xz #xz_utils debacle.
Anyone got better info than I do after doing some hunting? All I have are the initial detections from 3rd parties in November of 2023.