#npm

Karsten Schmidt

@toxi@mastodon.thi.ng · Reply to Karsten Schmidt's post

An update: After several failed publish attempts, more searching, (re)reading and experimenting for the past 4 hours, I've now figured out a solution using #NPM granular access tokens... But to summarize & document the issues, in case someone else encounters the same pain points:

1) There seems to be a new incompatibility between the NPM auth changes and running `yarn npm publish --access public`. After working successfully for the past 8 years, that command now gives me 404, even after re-authenticating. It just doesn't seem to pick up the auth token configured in `$HOME/.npmrc`. As result I've now switched all my publish commands to just be `npm publish --access public`. That seems to work!

2) The wording about the 50 package limit on the NPM auth token docs is very confusing: "Each token can access up to 50 organizations, and up to either 50 packages, 50 scopes, or a combination of 50 packages and scopes." As written, this reads like these limits are omnipresent for each token, but in fact one can also create tokens which can access ALL packages under your control. The 50 limit only seems to apply when creating token which is only allowed a subset...

Summa summarum, it is #ThingUmbrella #ReleaseFriday after all (updates to https://thi.ng/geom, bug fixes for https://thi.ng/args) and I can now proceed to enjoy the start of the Glühwein season on this cold Friday night... 🎉

#TypeScript #JavaScript #NPM #OpenSource

Karsten Schmidt

@toxi@mastodon.thi.ng

Okay, it seems classic NPM tokens already stopped working and so it's IMPOSSIBLE for me to release any new versions of my 210 projects/packages until they have implemented a solution which:

1) Doesn't require to manually setup a Trusted Publishing config for *every single package* or
2) They're lifting the arbitrary 50 packages per token limit for their new "granular" tokens (in addition to them already being severely time limited)

The current combined effect of these two restrictions means I cannot do automated multi-package releases from my monorepo, using a tool which handles changelog generation, version bumps and topological sorting of releases.

It's bloody infuriating! NPM has ignored looming security issues for a decade. Now they're rushing some halfbaked no-solution with several glaring issues, all within a few weeks notice and then not even sticking to their timeline. Classic tokens were supposed to stop working in November only...

#JavaScript #TypeScript #OpenSource #NPM

Karsten Schmidt

@toxi@mastodon.thi.ng · Reply to Karsten Schmidt's post

So to make it all even "better": To use Trusted Publishing, one also has to manually setup a GitHub Actions integration on npmjs.org for every single package individually! This is just mind boggling and infeasible and means I'd have to manually fill in a form 200+ times (for that many packages) before I could even properly test this new publishing workflow.

Other people who're maintaining thousands of packages (e.g. DefinitilyTyped, Fontsource) have chimed in here too: https://github.com/orgs/community/discussions/161015#discussioncomment-14451893

Let's hope this will be addressed!

#NPM #Security #TrustedPublishing #GitHub #JavaScript #TypeScript #OpenSource

Karsten Schmidt

@toxi@mastodon.thi.ng

So am I understanding this correctly that the upcoming NPM authentication and token changes mean our only publishing workflow options henceforth are either switching to OICD Trusted Publishing[1] via GitHub Actions or using granular access tokens. The problem with the former is that I wanted to migrate my projects to Codeberg soon (which isn't supported). The problem with the latter is that granular tokens are unsuitable for publishing packages from a large monorepo, since these tokens are limited to 50 packages only (in addition to time limits)[2].

My https://thi.ng/umbrella repo contains 210 packages, so in order to publish them (sometimes all of them will need to be updated) I'd have to first generate multiple tokens and then also keep track how many times each token has been used. This adds a lot of extra work and complexity to my monorepo publishing tool (https://thi.ng/monopub). I understand the need for improved NPM security, but as so often, these changes are just poorly thought through (IMO) and continuously add new workloads and complexity on maintainers...

[1] https://docs.npmjs.com/trusted-publishers
[2] https://docs.npmjs.com/about-access-tokens#about-granular-access-tokens

#NPM #Authentication #Security #OpenSource #MonoRepo #JavaScript #TypeScript

ansuz / ऐरन

@ansuz@social.cryptography.dog

The folks at npm sent out an email indicating that they were changing their security policies relating to the use of 2FA.

The information given was pretty vague, but they linked to a few resources for further reading. These included:

1. a gh.io link - which does not look authoritative at all

2. a random discussion on github, not even one on an npm-operated org

3. npm's generic support page

...and they wonder why people fall for phishing schemes

#npm #infosec #phishing

ansuz / ऐरन

@ansuz@social.cryptography.dog

The folks at npm sent out an email indicating that they were changing their security policies relating to the use of 2FA.

The information given was pretty vague, but they linked to a few resources for further reading. These included:

1. a gh.io link - which does not look authoritative at all

2. a random discussion on github, not even one on an npm-operated org

3. npm's generic support page

...and they wonder why people fall for phishing schemes

#npm #infosec #phishing

Patrick Wu

@patrick@hatoya.cafe

One Open-source Project Daily

The NPM drinking game recreated and cli-ified with Deno

https://github.com/ninest/drink-if-exists

#1ospd #opensource #deno #drinkinggame #game #npm

Patrick Wu

@patrick@hatoya.cafe

One Open-source Project Daily

The NPM drinking game recreated and cli-ified with Deno

https://github.com/ninest/drink-if-exists

#1ospd #opensource #deno #drinkinggame #game #npm

Kat Marchán 🐈

@zkat@toot.cat

lmao now legitimate security emails from NPM are considered phishing. What a shitshow.

#NPM #JavaScript #security

ALT text details

screenshot of an email that clearly says it's from support@npmjs.com, a legitimate email address belonging to the NPM support team. Fastmail has flagged it as suspicious, and that it might be a phishing attempt. The email seems to be about some "security improvements".

Lovell Fuller

@lovell@mastodon.social

🔒 If you publish packages to the npm registry and haven't already seen its new Trusted Publisher feature, please do take a look at https://docs.npmjs.com/trusted-publishers

🎟️ It uses short-lived OIDC tokens to allow CI-based automation of signed publish-with-provenance.

📈 According to https://github.com/sxzz/npm-top-provenance I maintain 6 of the top 50 packages that use this feature, and those 6 packages combined have over 600 million downloads each month!

#OpenSource #NodeJS #npm

Lovell Fuller

@lovell@mastodon.social

🔒 If you publish packages to the npm registry and haven't already seen its new Trusted Publisher feature, please do take a look at https://docs.npmjs.com/trusted-publishers

🎟️ It uses short-lived OIDC tokens to allow CI-based automation of signed publish-with-provenance.

📈 According to https://github.com/sxzz/npm-top-provenance I maintain 6 of the top 50 packages that use this feature, and those 6 packages combined have over 600 million downloads each month!

#OpenSource #NodeJS #npm

Waseem

@iamwaseem@mastodon.social

It's been some weeks with npm exploits. But there is a fix, Deno's limited permissions can help here.
https://deno.com/blog/deno-protects-npm-exploits

#node #npm #deno #javascript

Waseem

@iamwaseem@mastodon.social

It's been some weeks with npm exploits. But there is a fix, Deno's limited permissions can help here.
https://deno.com/blog/deno-protects-npm-exploits

#node #npm #deno #javascript

Waseem

@iamwaseem@mastodon.social

It's been some weeks with npm exploits. But there is a fix, Deno's limited permissions can help here.
https://deno.com/blog/deno-protects-npm-exploits

#node #npm #deno #javascript

Daemon Silverstein

@dsilverz@calckey.world

#NPM from #Node.js ended up in the hands of Microsoft.

#RubyGems from #Ruby ended up in the hands of a nazi libertarian.

It feels like #OSS and #FOSS are being attacked on a daily basis.

Do anyone have information regarding #PyPi from #Python, is it also compromised? As far as I know, PyPi stopped working with pip search ("Use the browser") and the website needs JS to function (because it uses some PoW browser checking), so using Lynx or elinks as a sysadmin on a terminal-only machine in order to search for Python packages have been a no-no. Wonder how much it's due to similar phenomenon going on with Ruby and Node.js ecosystems.

Kat Marchán 🐈

@zkat@toot.cat

cross-posting my little rant about #npm #npmattack #javascript #typescript stuff here:

Random NPM thoughts of the day:

The primary NPM registry should be obsoleted entirely ASAP
JSR does not do anywhere near as much as it should, and it's probably too late to fix.
A proper successor must only support "standard" JS, though temporarily accepting "strippable types" is ok rn
All packages MUST be ESM (JSR ok here)
MUST include docstrings on all publicly-reachable interfaces.
MUST NOT include any type of dependency other than a named registry dependency with a semver version (no git deps etc)
MUST have a non-trivial README.
MUST be tied to a PUBLIC repo.
MUST NOT have install scripts (yeah sorry, the fight's over)
MUST clearly include a license, even if the license is "source available, not open source". This restriction MUST NOT limit to OSI's ridiculous list.
MUST have a name that is scoped to its publishing user/org (@foo/bar)All of the above constraints MUST be checked at publish time.

Furthermore, the registry MUST provide the following, based on this:

Full browsable (published) package sources, right on the site. With linkable paths. None of this absolute trash NPM decided to do.
Autogenerated API docs.
Lower-traffic packages that have not had a new version in 6 months should be completely delisted. They can be installed, with a warning printed.
Usernames/org names and package names must employ a suitably-aggressive levenshtein distance for potential conflicts. This should be aggressive.
Packages cannot be transferred between accounts, and it's against policy to allow others access to your personal account. Orgs can work around this.
Top 1000 packages (maybe more) have all new publishes put on hold for 7 days, and placed into a public review queue, overridden by [tbd?staff?]
Y'all aren't gonna like this but: package installation should be reasonably throttled. Both to keep costs down, and to encourage people to do something less lazy than "I'm just going to install all 2k dependencies on CI every time I push a docs change". It's wasteful and harmful for many reasons.

I think that's all I got off the top of my head for now.

There's honestly a lot of stuff that could be done on the client side to make life better, too, and y'all know I have a ton of thoughts on that, but I wanted to rant about registries for a bit, esp now that the NPM registry is crumbling.

Tane Piper

@tanepiper@tane.codes

Oh no, not again... a meditation on #NPM supply chain attacks

https://tane.dev/2025/09/oh-no-not-again...-a-meditation-on-npm-supply-chain-attacks/

Tane Piper

@tanepiper@tane.codes

Oh no, not again... a meditation on #NPM supply chain attacks

https://tane.dev/2025/09/oh-no-not-again...-a-meditation-on-npm-supply-chain-attacks/

derekheld

@derekheld@infosec.exchange

A bunch of packages published by qix in NPM just got backdoored it looks like. Obfuscated code was added like two hours ago. #threatintel #npm

Emelia 👸🏻

@thisismissem@hachyderm.io · Reply to Emelia 👸🏻's post

Also, npm now supports trusted publishing: https://docs.npmjs.com/trusted-publishers

This means you don't need a static token in your CI/CD configuration anymore.

#npm #npmattack

Emelia 👸🏻

@thisismissem@hachyderm.io

Pro-tip for npm: rather than using a classic access token in your ~/.npmrc file, generate a granular access token that only has read permissions.

That way if something does compromise you, they only get access to the read token and cannot publish on your behalf.

#npm #npmattack

derekheld

@derekheld@infosec.exchange

A bunch of packages published by qix in NPM just got backdoored it looks like. Obfuscated code was added like two hours ago. #threatintel #npm

Ben Hardill

@ben@hardill.me.uk

Hmm, most of my GitHub CI jobs are failing because it appears NPM have added rate limiting.

Remind me again, who owns both NPM and GitHub these days?

#GitHub #npm

Ben Hardill

@ben@hardill.me.uk

Hmm, most of my GitHub CI jobs are failing because it appears NPM have added rate limiting.

Remind me again, who owns both NPM and GitHub these days?

#GitHub #npm

洪民憙 (Hong Minhee)

BastilleBSD

@BastilleBSD@fosstodon.org

Are npm packages and dependencies an unmitigated disaster, or is it just me?

#npm #dependencyhell

Alex0007

@Alex0007@mastodon.social

It's crazy that `graphql-depth-limit` (with its Git repository removed and not being updated for 8 years) has 750k weekly downloads, while the actual `@graphile/depth-limit` library (updated, typed, from a GraphQL maintainer) has only 400 downloads.

#GraphQL #npm

lil5 🚲 🇳🇱

@lil5@social.linux.pizza

#nodejs #denojs #jsr #bunjs #npm #webdev #javascript

Option	Voters
Deno	4 (57%)
Bun	3 (43%)

skry

@skry@mastodon.social

“slopsquatting, a new term for a surprisingly effective type of software supply chain attack that emerges when LLMs “hallucinate” package names that don’t actually exist. If you’ve ever seen an AI recommend a package and thought, “Wait, is that real?”—you’ve already encountered the foundation of the problem.

And now attackers are catching on.”

The Rise of Slopsquatting: How #AI Hallucinations Are Fueling... https://socket.dev/blog/slopsquatting-how-ai-hallucinations-are-fueling-a-new-class-of-supply-chain-attacks #npm #dev #infosec

Edit: more info: https://www.bleepingcomputer.com/news/security/ai-hallucinated-code-dependencies-become-new-supply-chain-risk/

skry

@skry@mastodon.social

And now attackers are catching on.”

The Rise of Slopsquatting: How #AI Hallucinations Are Fueling... https://socket.dev/blog/slopsquatting-how-ai-hallucinations-are-fueling-a-new-class-of-supply-chain-attacks #npm #dev #infosec

Edit: more info: https://www.bleepingcomputer.com/news/security/ai-hallucinated-code-dependencies-become-new-supply-chain-risk/

Richie Khoo

@richiekhoo@hachyderm.io

Package Manager for Markdown

I'm working on a project that is intended to encourage folk to make markdown text files which can be bundled together in different bundles of text files using a package manager.

Question for coders; Which package manager would you suggest I use?

Main criterias (in order) are:

1. Easy for someone with basic command line skills to edit the file and update version numbers and add additional packages.

2. All being equal, more commonly and easy to setup is preferred.

#Markdown #CommonMark #PackageManager #Programming #Dev
#NPM #RubyGems #Cargo #PickingAMastodonInstance
#Ruby #Python #Rust #Javascript #NodeJs #Lisp #CommonGuide