#npm

Waseem's avatar
Waseem

@iamwaseem@mastodon.social

It's been some weeks with npm exploits. But there is a fix, Deno's limited permissions can help here.
deno.com/blog/deno-protects-np

Waseem's avatar
Waseem

@iamwaseem@mastodon.social

It's been some weeks with npm exploits. But there is a fix, Deno's limited permissions can help here.
deno.com/blog/deno-protects-np

Waseem's avatar
Waseem

@iamwaseem@mastodon.social

It's been some weeks with npm exploits. But there is a fix, Deno's limited permissions can help here.
deno.com/blog/deno-protects-np

Daemon Silverstein's avatar
Daemon Silverstein

@dsilverz@calckey.world

from .js ended up in the hands of Microsoft.

from ended up in the hands of a nazi libertarian.

It feels like
and are being attacked on a daily basis.

Do anyone have information regarding
from , is it also compromised? As far as I know, PyPi stopped working with pip search ("Use the browser") and the website needs JS to function (because it uses some PoW browser checking), so using Lynx or elinks as a sysadmin on a terminal-only machine in order to search for Python packages have been a no-no. Wonder how much it's due to similar phenomenon going on with Ruby and Node.js ecosystems.

Kat Marchán 🐈's avatar
Kat Marchán 🐈

@zkat@toot.cat

cross-posting my little rant about stuff here:

Random NPM thoughts of the day:

  1. The primary NPM registry should be obsoleted entirely ASAP
  2. JSR does not do anywhere near as much as it should, and it's probably too late to fix.
  3. A proper successor must only support "standard" JS, though temporarily accepting "strippable types" is ok rn
  4. All packages MUST be ESM (JSR ok here)
  5. MUST include docstrings on all publicly-reachable interfaces.
  6. MUST NOT include any type of dependency other than a named registry dependency with a semver version (no git deps etc)
  7. MUST have a non-trivial README.
  8. MUST be tied to a PUBLIC repo.
  9. MUST NOT have install scripts (yeah sorry, the fight's over)
  10. MUST clearly include a license, even if the license is "source available, not open source". This restriction MUST NOT limit to OSI's ridiculous list.
  11. MUST have a name that is scoped to its publishing user/org (@foo/bar)All of the above constraints MUST be checked at publish time.

Furthermore, the registry MUST provide the following, based on this:

  1. Full browsable (published) package sources, right on the site. With linkable paths. None of this absolute trash NPM decided to do.
  2. Autogenerated API docs.
  3. Lower-traffic packages that have not had a new version in 6 months should be completely delisted. They can be installed, with a warning printed.
  4. Usernames/org names and package names must employ a suitably-aggressive levenshtein distance for potential conflicts. This should be aggressive.
  5. Packages cannot be transferred between accounts, and it's against policy to allow others access to your personal account. Orgs can work around this.
  6. Top 1000 packages (maybe more) have all new publishes put on hold for 7 days, and placed into a public review queue, overridden by [tbd?staff?]
  7. Y'all aren't gonna like this but: package installation should be reasonably throttled. Both to keep costs down, and to encourage people to do something less lazy than "I'm just going to install all 2k dependencies on CI every time I push a docs change". It's wasteful and harmful for many reasons.

I think that's all I got off the top of my head for now.

There's honestly a lot of stuff that could be done on the client side to make life better, too, and y'all know I have a ton of thoughts on that, but I wanted to rant about registries for a bit, esp now that the NPM registry is crumbling.

Tane Piper's avatar
Tane Piper

@tanepiper@tane.codes

Oh no, not again... a meditation on supply chain attacks

tane.dev/2025/09/oh-no-not-aga

Tane Piper's avatar
Tane Piper

@tanepiper@tane.codes

Oh no, not again... a meditation on supply chain attacks

tane.dev/2025/09/oh-no-not-aga

derekheld's avatar
derekheld

@derekheld@infosec.exchange

A bunch of packages published by qix in NPM just got backdoored it looks like. Obfuscated code was added like two hours ago.

Emelia 👸🏻's avatar
Emelia 👸🏻

@thisismissem@hachyderm.io · Reply to Emelia 👸🏻's post

Also, npm now supports trusted publishing: docs.npmjs.com/trusted-publish

This means you don't need a static token in your CI/CD configuration anymore.

Emelia 👸🏻's avatar
Emelia 👸🏻

@thisismissem@hachyderm.io

Pro-tip for npm: rather than using a classic access token in your ~/.npmrc file, generate a granular access token that only has read permissions.

That way if something does compromise you, they only get access to the read token and cannot publish on your behalf.

derekheld's avatar
derekheld

@derekheld@infosec.exchange

A bunch of packages published by qix in NPM just got backdoored it looks like. Obfuscated code was added like two hours ago.

Ben Hardill's avatar
Ben Hardill

@ben@hardill.me.uk

Hmm, most of my GitHub CI jobs are failing because it appears NPM have added rate limiting.

Remind me again, who owns both NPM and GitHub these days?

Ben Hardill's avatar
Ben Hardill

@ben@hardill.me.uk

Hmm, most of my GitHub CI jobs are failing because it appears NPM have added rate limiting.

Remind me again, who owns both NPM and GitHub these days?

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

BastilleBSD :freebsd:'s avatar
BastilleBSD :freebsd:

@BastilleBSD@fosstodon.org

Are npm packages and dependencies an unmitigated disaster, or is it just me?

Alex0007's avatar
Alex0007

@Alex0007@mastodon.social

It's crazy that `graphql-depth-limit` (with its Git repository removed and not being updated for 8 years) has 750k weekly downloads, while the actual `@graphile/depth-limit` library (updated, typed, from a GraphQL maintainer) has only 400 downloads.

lil5 :golang: 🚲 🇳🇱's avatar
lil5 :golang: 🚲 🇳🇱

@lil5@social.linux.pizza

OptionVoters
Deno4 (57%)
Bun3 (43%)
skry's avatar
skry

@skry@mastodon.social

“slopsquatting, a new term for a surprisingly effective type of software supply chain attack that emerges when LLMs “hallucinate” package names that don’t actually exist. If you’ve ever seen an AI recommend a package and thought, “Wait, is that real?”—you’ve already encountered the foundation of the problem.

And now attackers are catching on.”

The Rise of Slopsquatting: How Hallucinations Are Fueling... socket.dev/blog/slopsquatting-

Edit: more info: bleepingcomputer.com/news/secu

skry's avatar
skry

@skry@mastodon.social

“slopsquatting, a new term for a surprisingly effective type of software supply chain attack that emerges when LLMs “hallucinate” package names that don’t actually exist. If you’ve ever seen an AI recommend a package and thought, “Wait, is that real?”—you’ve already encountered the foundation of the problem.

And now attackers are catching on.”

The Rise of Slopsquatting: How Hallucinations Are Fueling... socket.dev/blog/slopsquatting-

Edit: more info: bleepingcomputer.com/news/secu

Richie Khoo's avatar
Richie Khoo

@richiekhoo@hachyderm.io

Package Manager for Markdown

I'm working on a project that is intended to encourage folk to make markdown text files which can be bundled together in different bundles of text files using a package manager.

Question for coders; Which package manager would you suggest I use?

Main criterias (in order) are:

1. Easy for someone with basic command line skills to edit the file and update version numbers and add additional packages.

2. All being equal, more commonly and easy to setup is preferred.



Maho Pacheco 🦝🍻's avatar
Maho Pacheco 🦝🍻

@mapache@hachyderm.io

Rust cargo is the new npm-packages lol

Chee Aun 🤔's avatar
Chee Aun 🤔

@cheeaun@mastodon.social

Huh, Runkit has been gone for few months and npm pages are still linking to it github.com/orgs/community/disc

The forum is also filled with reports and spam discuss.runkit.com/ 😥

Deno's avatar
Deno

@deno_land@fosstodon.org

Are you still using npm transpile services like esm.sh and unpkg.com?
❌ dependency deduplication
❌ install hooks and native add-ons
❌ loading data files

Here's why we recommend importing npm packages natively via npm specifiers 👇

deno.com/blog/not-using-npm-sp

Inautilo's avatar
Inautilo

@inautilo@mastodon.social


SQL Noir · A game to learn SQL by solving crimes ilo.im/162ciw

_____

Inautilo's avatar
Inautilo

@inautilo@mastodon.social


SQL Noir · A game to learn SQL by solving crimes ilo.im/162ciw

_____

Emelia 👸🏻's avatar
Emelia 👸🏻

@thisismissem@hachyderm.io

Why does the npm user or organisation on npm have 64,788 packages?

Screenshot of the user or organisation profile for npm on the npm registry showing 64,788 packages all from different authors.
ALT text detailsScreenshot of the user or organisation profile for npm on the npm registry showing 64,788 packages all from different authors.
Deno's avatar
Deno

@deno_land@fosstodon.org

Are you still using npm transpile services like esm.sh and unpkg.com?
❌ dependency deduplication
❌ install hooks and native add-ons
❌ loading data files

Here's why we recommend importing npm packages natively via npm specifiers 👇

deno.com/blog/not-using-npm-sp

⚯ Michel de Cryptadamus ⚯'s avatar
⚯ Michel de Cryptadamus ⚯

@cryptadamist@universeodon.com · Reply to @reiver ⊼ (Charles) :batman:'s post

@reiver i built on to make a customizable feed algorithm that is pretty much how i interact with these days. it's available as an package.

here's the demo app: github.com/michelcrypt4d4mus/f

this is what the demo app looks like:

screenshot of fedialgo in action
ALT text detailsscreenshot of fedialgo in action
⚯ Michel de Cryptadamus ⚯'s avatar
⚯ Michel de Cryptadamus ⚯

@cryptadamist@universeodon.com · Reply to @reiver ⊼ (Charles) :batman:'s post

@reiver i built on to make a customizable feed algorithm that is pretty much how i interact with these days. it's available as an package.

here's the demo app: github.com/michelcrypt4d4mus/f

this is what the demo app looks like:

screenshot of fedialgo in action
ALT text detailsscreenshot of fedialgo in action
Szymon Standarski's avatar
Szymon Standarski

@standarski@mastodon.social

🚀 npm install vs. npm ci

• npm install: 📦 Installs dependencies from package.json, updates package-lock.json if needed. Flexible but slower.
• npm ci: ⚡ Clean, fast install based only on package-lock.json. Reproducible builds, perfect for CI/CD.

💡Tip: Use npm ci for consistent, reliable deployments! ✅

Szymon Standarski's avatar
Szymon Standarski

@standarski@mastodon.social

🚀 npm install vs. npm ci

• npm install: 📦 Installs dependencies from package.json, updates package-lock.json if needed. Flexible but slower.
• npm ci: ⚡ Clean, fast install based only on package-lock.json. Reproducible builds, perfect for CI/CD.

💡Tip: Use npm ci for consistent, reliable deployments! ✅

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 🤝️ Nuxt.js

docs.deno.com/examples/nuxt_tu

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 🤝️ Nuxt.js

docs.deno.com/examples/nuxt_tu

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 🤝️ Nuxt.js

docs.deno.com/examples/nuxt_tu

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 2.1.5 just landed —

▸ new QUIC API
▸ improved Discord.js compatibility
▸ better tasks support in workspaces

github.com/denoland/deno/relea

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 2.1.5 just landed —

▸ new QUIC API
▸ improved Discord.js compatibility
▸ better tasks support in workspaces

github.com/denoland/deno/relea

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 2.1.5 just landed —

▸ new QUIC API
▸ improved Discord.js compatibility
▸ better tasks support in workspaces

github.com/denoland/deno/relea

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 2.1.5 just landed —

▸ new QUIC API
▸ improved Discord.js compatibility
▸ better tasks support in workspaces

github.com/denoland/deno/relea

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno is committed to web standards - that's why we co-founded WinterCG two years ago. Today marks the next step in that journey: WinterCG moves to Ecma International as technical comittee 55 (TC55).

Goodbye WinterCG, welcome WinterTC!

deno.com/blog/wintertc

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno is committed to web standards - that's why we co-founded WinterCG two years ago. Today marks the next step in that journey: WinterCG moves to Ecma International as technical comittee 55 (TC55).

Goodbye WinterCG, welcome WinterTC!

deno.com/blog/wintertc

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 2.1.5 just landed —

▸ new QUIC API
▸ improved Discord.js compatibility
▸ better tasks support in workspaces

github.com/denoland/deno/relea

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno is committed to web standards - that's why we co-founded WinterCG two years ago. Today marks the next step in that journey: WinterCG moves to Ecma International as technical comittee 55 (TC55).

Goodbye WinterCG, welcome WinterTC!

deno.com/blog/wintertc

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno is committed to web standards - that's why we co-founded WinterCG two years ago. Today marks the next step in that journey: WinterCG moves to Ecma International as technical comittee 55 (TC55).

Goodbye WinterCG, welcome WinterTC!

deno.com/blog/wintertc

Deno's avatar
Deno

@deno_land@fosstodon.org

Thank you for your support in helping us reach 100,000 GitHub stars! ⭐️

github.com/denoland/deno

Deno's avatar
Deno

@deno_land@fosstodon.org

Thank you for your support in helping us reach 100,000 GitHub stars! ⭐️

github.com/denoland/deno

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno can now finally be installed through npm!

npm install -g deno

npx deno eval -p 1+2

npmjs.com/package/deno

tea 🌺's avatar
tea 🌺

@thomasreggi@indieweb.social

Would love thoughts and feedback on my Future / deferred promise library:

npmjs.com/package/@reggi/futur

Be kind ❤️

Deno's avatar
Deno

@deno_land@fosstodon.org

Easily check for outdated dependencies with `deno outdated` 👇️

docs.deno.com/runtime/referenc

Deno outdated will check for outdated dependencies.
ALT text detailsDeno outdated will check for outdated dependencies.
Deno's avatar
Deno

@deno_land@fosstodon.org

this wren wants to remind you that Deno permission flags have shorthands

deno.com/blog/v1.46#short-hand

deno permission flags have shorthands
ALT text detailsdeno permission flags have shorthands
Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 2.1 is out 🎉️
✈️️ first class Wasm support
🌳️ Long Term Support branch
⭐️ Improved dependency management
and much more!

deno.com/blog/v2.1

Angelika Cathor's avatar
Angelika Cathor

@angelikatyborska@mas.to

I wrote my thoughts on how to decide what's a regular dependency and what's a dev dependency in a JavaScript app (not library). It's surprisingly unclear... angelika.me/2024/11/11/depende

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno is a JavaScript package manager with more flexibility:
📦️ npm and JSR
🛠️️ package.json and deno.json
👟️ fast

deno.com/blog/your-new-js-pack

Deno's avatar
Deno

@deno_land@fosstodon.org

The 🦕️ is out of the bag...

youtube.com/watch?v=pcC4Dr6Wj2

Deno's avatar
Deno

@deno_land@fosstodon.org

Curious about how the JSR logo and website design came together? 🤔️

Here's a 👀️ into our design process.

deno.com/blog/designing-jsr

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 1.46 is not only the last 1.x release, but also one of the biggest:
- Simpler CLI
- Multi-threaded web servers
- HTML, CSS, YAML support in `deno fmt`
- Better Node/npm compat (support for playwright, google-cloud, etc.)
and much more 👇️

deno.com/blog/v1.46

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno is known for its HTTP imports, but we've found it's insufficient for larger projects. This post explains the situation and how we've improved it.

deno.com/blog/http-imports

Deno's avatar
Deno

@deno_land@fosstodon.org

std/data-structures, common data structures including red-black trees and binary heaps, is now stabilized at v1 on JSR

jsr.io/@std/data-structures

Fedify: ActivityPub server framework's avatar
Fedify: ActivityPub server framework

@fedify@hollo.social

The fedify command is now available on ! You can install it using the following command:

npm install -g @fedify/cli

Or if you use :

bun install -g @fedify/cli

https://www.npmjs.com/package/@fedify/cli

NosirrahSec 🏴‍☠️'s avatar
NosirrahSec 🏴‍☠️

@NosirrahSec@infosec.exchange

CVE-2023-49210 - node-openssl, this sounds like a malicious node package and it's just now popping in Defender Vulnerability Management inventories.

Did we miss some big story about this or is this just a case of the NVD backlog catching up and thus downstream ingestion of that information is just now making it to the masses?

I figured a malicious OSS package/update getting put into the ecosystem would be a hot article after the debacle.

Anyone got better info than I do after doing some hunting? All I have are the initial detections from 3rd parties in November of 2023.