#npm

lil5 :golang: 🚲 🇳🇱's avatar
lil5 :golang: 🚲 🇳🇱

@lil5@social.linux.pizza

OptionVoters
Deno4 (57%)
Bun3 (43%)
skry's avatar
skry

@skry@mastodon.social

“slopsquatting, a new term for a surprisingly effective type of software supply chain attack that emerges when LLMs “hallucinate” package names that don’t actually exist. If you’ve ever seen an AI recommend a package and thought, “Wait, is that real?”—you’ve already encountered the foundation of the problem.

And now attackers are catching on.”

The Rise of Slopsquatting: How Hallucinations Are Fueling... socket.dev/blog/slopsquatting-

Edit: more info: bleepingcomputer.com/news/secu

skry's avatar
skry

@skry@mastodon.social

“slopsquatting, a new term for a surprisingly effective type of software supply chain attack that emerges when LLMs “hallucinate” package names that don’t actually exist. If you’ve ever seen an AI recommend a package and thought, “Wait, is that real?”—you’ve already encountered the foundation of the problem.

And now attackers are catching on.”

The Rise of Slopsquatting: How Hallucinations Are Fueling... socket.dev/blog/slopsquatting-

Edit: more info: bleepingcomputer.com/news/secu

Richie Khoo's avatar
Richie Khoo

@richiekhoo@hachyderm.io

Package Manager for Markdown

I'm working on a project that is intended to encourage folk to make markdown text files which can be bundled together in different bundles of text files using a package manager.

Question for coders; Which package manager would you suggest I use?

Main criterias (in order) are:

1. Easy for someone with basic command line skills to edit the file and update version numbers and add additional packages.

2. All being equal, more commonly and easy to setup is preferred.



Maho Pacheco 🦝🍻's avatar
Maho Pacheco 🦝🍻

@mapache@hachyderm.io

Rust cargo is the new npm-packages lol

Chee Aun 🤔's avatar
Chee Aun 🤔

@cheeaun@mastodon.social

Huh, Runkit has been gone for few months and npm pages are still linking to it github.com/orgs/community/disc

The forum is also filled with reports and spam discuss.runkit.com/ 😥

Deno's avatar
Deno

@deno_land@fosstodon.org

Are you still using npm transpile services like esm.sh and unpkg.com?
❌ dependency deduplication
❌ install hooks and native add-ons
❌ loading data files

Here's why we recommend importing npm packages natively via npm specifiers 👇

deno.com/blog/not-using-npm-sp

Inautilo's avatar
Inautilo

@inautilo@mastodon.social


SQL Noir · A game to learn SQL by solving crimes ilo.im/162ciw

_____

Inautilo's avatar
Inautilo

@inautilo@mastodon.social


SQL Noir · A game to learn SQL by solving crimes ilo.im/162ciw

_____

Emelia 👸🏻's avatar
Emelia 👸🏻

@thisismissem@hachyderm.io

Why does the npm user or organisation on npm have 64,788 packages?

Screenshot of the user or organisation profile for npm on the npm registry showing 64,788 packages all from different authors.
ALT text detailsScreenshot of the user or organisation profile for npm on the npm registry showing 64,788 packages all from different authors.
Deno's avatar
Deno

@deno_land@fosstodon.org

Are you still using npm transpile services like esm.sh and unpkg.com?
❌ dependency deduplication
❌ install hooks and native add-ons
❌ loading data files

Here's why we recommend importing npm packages natively via npm specifiers 👇

deno.com/blog/not-using-npm-sp

⚯ Michel de Cryptadamus ⚯'s avatar
⚯ Michel de Cryptadamus ⚯

@cryptadamist@universeodon.com · Reply to @reiver ⊼ (Charles) :batman:'s post

@reiver i built on to make a customizable feed algorithm that is pretty much how i interact with these days. it's available as an package.

here's the demo app: github.com/michelcrypt4d4mus/f

this is what the demo app looks like:

screenshot of fedialgo in action
ALT text detailsscreenshot of fedialgo in action
⚯ Michel de Cryptadamus ⚯'s avatar
⚯ Michel de Cryptadamus ⚯

@cryptadamist@universeodon.com · Reply to @reiver ⊼ (Charles) :batman:'s post

@reiver i built on to make a customizable feed algorithm that is pretty much how i interact with these days. it's available as an package.

here's the demo app: github.com/michelcrypt4d4mus/f

this is what the demo app looks like:

screenshot of fedialgo in action
ALT text detailsscreenshot of fedialgo in action
Szymon Standarski's avatar
Szymon Standarski

@standarski@mastodon.social

🚀 npm install vs. npm ci

• npm install: 📦 Installs dependencies from package.json, updates package-lock.json if needed. Flexible but slower.
• npm ci: ⚡ Clean, fast install based only on package-lock.json. Reproducible builds, perfect for CI/CD.

💡Tip: Use npm ci for consistent, reliable deployments! ✅

Szymon Standarski's avatar
Szymon Standarski

@standarski@mastodon.social

🚀 npm install vs. npm ci

• npm install: 📦 Installs dependencies from package.json, updates package-lock.json if needed. Flexible but slower.
• npm ci: ⚡ Clean, fast install based only on package-lock.json. Reproducible builds, perfect for CI/CD.

💡Tip: Use npm ci for consistent, reliable deployments! ✅

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 🤝️ Nuxt.js

docs.deno.com/examples/nuxt_tu

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 🤝️ Nuxt.js

docs.deno.com/examples/nuxt_tu

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 🤝️ Nuxt.js

docs.deno.com/examples/nuxt_tu

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 2.1.5 just landed —

▸ new QUIC API
▸ improved Discord.js compatibility
▸ better tasks support in workspaces

github.com/denoland/deno/relea

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 2.1.5 just landed —

▸ new QUIC API
▸ improved Discord.js compatibility
▸ better tasks support in workspaces

github.com/denoland/deno/relea

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 2.1.5 just landed —

▸ new QUIC API
▸ improved Discord.js compatibility
▸ better tasks support in workspaces

github.com/denoland/deno/relea

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 2.1.5 just landed —

▸ new QUIC API
▸ improved Discord.js compatibility
▸ better tasks support in workspaces

github.com/denoland/deno/relea

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno is committed to web standards - that's why we co-founded WinterCG two years ago. Today marks the next step in that journey: WinterCG moves to Ecma International as technical comittee 55 (TC55).

Goodbye WinterCG, welcome WinterTC!

deno.com/blog/wintertc

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno is committed to web standards - that's why we co-founded WinterCG two years ago. Today marks the next step in that journey: WinterCG moves to Ecma International as technical comittee 55 (TC55).

Goodbye WinterCG, welcome WinterTC!

deno.com/blog/wintertc

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 2.1.5 just landed —

▸ new QUIC API
▸ improved Discord.js compatibility
▸ better tasks support in workspaces

github.com/denoland/deno/relea

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno is committed to web standards - that's why we co-founded WinterCG two years ago. Today marks the next step in that journey: WinterCG moves to Ecma International as technical comittee 55 (TC55).

Goodbye WinterCG, welcome WinterTC!

deno.com/blog/wintertc

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno is committed to web standards - that's why we co-founded WinterCG two years ago. Today marks the next step in that journey: WinterCG moves to Ecma International as technical comittee 55 (TC55).

Goodbye WinterCG, welcome WinterTC!

deno.com/blog/wintertc

Deno's avatar
Deno

@deno_land@fosstodon.org

Thank you for your support in helping us reach 100,000 GitHub stars! ⭐️

github.com/denoland/deno

Deno's avatar
Deno

@deno_land@fosstodon.org

Thank you for your support in helping us reach 100,000 GitHub stars! ⭐️

github.com/denoland/deno

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno can now finally be installed through npm!

npm install -g deno

npx deno eval -p 1+2

npmjs.com/package/deno

tea 🌺's avatar
tea 🌺

@thomasreggi@indieweb.social

Would love thoughts and feedback on my Future / deferred promise library:

npmjs.com/package/@reggi/futur

Be kind ❤️

Deno's avatar
Deno

@deno_land@fosstodon.org

Easily check for outdated dependencies with `deno outdated` 👇️

docs.deno.com/runtime/referenc

Deno outdated will check for outdated dependencies.
ALT text detailsDeno outdated will check for outdated dependencies.
Deno's avatar
Deno

@deno_land@fosstodon.org

this wren wants to remind you that Deno permission flags have shorthands

deno.com/blog/v1.46#short-hand

deno permission flags have shorthands
ALT text detailsdeno permission flags have shorthands
Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 2.1 is out 🎉️
✈️️ first class Wasm support
🌳️ Long Term Support branch
⭐️ Improved dependency management
and much more!

deno.com/blog/v2.1

Angelika Cathor's avatar
Angelika Cathor

@angelikatyborska@mas.to

I wrote my thoughts on how to decide what's a regular dependency and what's a dev dependency in a JavaScript app (not library). It's surprisingly unclear... angelika.me/2024/11/11/depende

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno is a JavaScript package manager with more flexibility:
📦️ npm and JSR
🛠️️ package.json and deno.json
👟️ fast

deno.com/blog/your-new-js-pack

Deno's avatar
Deno

@deno_land@fosstodon.org

The 🦕️ is out of the bag...

youtube.com/watch?v=pcC4Dr6Wj2

Deno's avatar
Deno

@deno_land@fosstodon.org

Curious about how the JSR logo and website design came together? 🤔️

Here's a 👀️ into our design process.

deno.com/blog/designing-jsr

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 1.46 is not only the last 1.x release, but also one of the biggest:
- Simpler CLI
- Multi-threaded web servers
- HTML, CSS, YAML support in `deno fmt`
- Better Node/npm compat (support for playwright, google-cloud, etc.)
and much more 👇️

deno.com/blog/v1.46

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno is known for its HTTP imports, but we've found it's insufficient for larger projects. This post explains the situation and how we've improved it.

deno.com/blog/http-imports

Deno's avatar
Deno

@deno_land@fosstodon.org

std/data-structures, common data structures including red-black trees and binary heaps, is now stabilized at v1 on JSR

jsr.io/@std/data-structures

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@fedify@hollo.social

The fedify command is now available on ! You can install it using the following command:

npm install -g @fedify/cli

Or if you use :

bun install -g @fedify/cli

https://www.npmjs.com/package/@fedify/cli

NosirrahSec 🏴‍☠️'s avatar
NosirrahSec 🏴‍☠️

@NosirrahSec@infosec.exchange

CVE-2023-49210 - node-openssl, this sounds like a malicious node package and it's just now popping in Defender Vulnerability Management inventories.

Did we miss some big story about this or is this just a case of the NVD backlog catching up and thus downstream ingestion of that information is just now making it to the masses?

I figured a malicious OSS package/update getting put into the ecosystem would be a hot article after the debacle.

Anyone got better info than I do after doing some hunting? All I have are the initial detections from 3rd parties in November of 2023.