#npm

Karsten Schmidt's avatar
Karsten Schmidt

@toxi@mastodon.thi.ng · Reply to Karsten Schmidt's post

So to make it all even "better": To use Trusted Publishing, one also has to manually setup a GitHub Actions integration on npmjs.org for every single package individually! This is just mind boggling and infeasible and means I'd have to manually fill in a form 200+ times (for that many packages) before I could even properly test this new publishing workflow.

Other people who're maintaining thousands of packages (e.g. DefinitilyTyped, Fontsource) have chimed in here too: github.com/orgs/community/disc

Let's hope this will be addressed!

Karsten Schmidt's avatar
Karsten Schmidt

@toxi@mastodon.thi.ng

So am I understanding this correctly that the upcoming NPM authentication and token changes mean our only publishing workflow options henceforth are either switching to OICD Trusted Publishing[1] via GitHub Actions or using granular access tokens. The problem with the former is that I wanted to migrate my projects to Codeberg soon (which isn't supported). The problem with the latter is that granular tokens are unsuitable for publishing packages from a large monorepo, since these tokens are limited to 50 packages only (in addition to time limits)[2].

My thi.ng/umbrella repo contains 210 packages, so in order to publish them (sometimes all of them will need to be updated) I'd have to first generate multiple tokens and then also keep track how many times each token has been used. This adds a lot of extra work and complexity to my monorepo publishing tool (thi.ng/monopub). I understand the need for improved NPM security, but as so often, these changes are just poorly thought through (IMO) and continuously add new workloads and complexity on maintainers...

[1] docs.npmjs.com/trusted-publish
[2] docs.npmjs.com/about-access-to

ansuz / ऐरन's avatar
ansuz / ऐरन

@ansuz@social.cryptography.dog

The folks at npm sent out an email indicating that they were changing their security policies relating to the use of 2FA.

The information given was pretty vague, but they linked to a few resources for further reading. These included:

1. a gh.io link - which does not look authoritative at all

2. a random discussion on github, not even one on an npm-operated org

3. npm's generic support page

...and they wonder why people fall for phishing schemes :blobcat_thisisfine:

ansuz / ऐरन's avatar
ansuz / ऐरन

@ansuz@social.cryptography.dog

The folks at npm sent out an email indicating that they were changing their security policies relating to the use of 2FA.

The information given was pretty vague, but they linked to a few resources for further reading. These included:

1. a gh.io link - which does not look authoritative at all

2. a random discussion on github, not even one on an npm-operated org

3. npm's generic support page

...and they wonder why people fall for phishing schemes :blobcat_thisisfine:

Patrick Wu :neocat_flag_bi:'s avatar
Patrick Wu :neocat_flag_bi:

@patrick@hatoya.cafe

One Open-source Project Daily

The NPM drinking game recreated and cli-ified with Deno

https://github.com/ninest/drink-if-exists

Patrick Wu :neocat_flag_bi:'s avatar
Patrick Wu :neocat_flag_bi:

@patrick@hatoya.cafe

One Open-source Project Daily

The NPM drinking game recreated and cli-ified with Deno

https://github.com/ninest/drink-if-exists

Kat Marchán 🐈's avatar
Kat Marchán 🐈

@zkat@toot.cat

lmao now legitimate security emails from NPM are considered phishing. What a shitshow.

screenshot of an email that clearly says it's from support@npmjs.com, a legitimate email address belonging to the NPM support team. Fastmail has flagged it as suspicious, and that it might be a phishing attempt. The email seems to be about some "security improvements".
ALT text detailsscreenshot of an email that clearly says it's from support@npmjs.com, a legitimate email address belonging to the NPM support team. Fastmail has flagged it as suspicious, and that it might be a phishing attempt. The email seems to be about some "security improvements".
Lovell Fuller's avatar
Lovell Fuller

@lovell@mastodon.social

🔒 If you publish packages to the npm registry and haven't already seen its new Trusted Publisher feature, please do take a look at docs.npmjs.com/trusted-publish

🎟️ It uses short-lived OIDC tokens to allow CI-based automation of signed publish-with-provenance.

📈 According to github.com/sxzz/npm-top-proven I maintain 6 of the top 50 packages that use this feature, and those 6 packages combined have over 600 million downloads each month!

Lovell Fuller's avatar
Lovell Fuller

@lovell@mastodon.social

🔒 If you publish packages to the npm registry and haven't already seen its new Trusted Publisher feature, please do take a look at docs.npmjs.com/trusted-publish

🎟️ It uses short-lived OIDC tokens to allow CI-based automation of signed publish-with-provenance.

📈 According to github.com/sxzz/npm-top-proven I maintain 6 of the top 50 packages that use this feature, and those 6 packages combined have over 600 million downloads each month!

Waseem's avatar
Waseem

@iamwaseem@mastodon.social

It's been some weeks with npm exploits. But there is a fix, Deno's limited permissions can help here.
deno.com/blog/deno-protects-np

Waseem's avatar
Waseem

@iamwaseem@mastodon.social

It's been some weeks with npm exploits. But there is a fix, Deno's limited permissions can help here.
deno.com/blog/deno-protects-np

Waseem's avatar
Waseem

@iamwaseem@mastodon.social

It's been some weeks with npm exploits. But there is a fix, Deno's limited permissions can help here.
deno.com/blog/deno-protects-np

Daemon Silverstein's avatar
Daemon Silverstein

@dsilverz@calckey.world

from .js ended up in the hands of Microsoft.

from ended up in the hands of a nazi libertarian.

It feels like
and are being attacked on a daily basis.

Do anyone have information regarding
from , is it also compromised? As far as I know, PyPi stopped working with pip search ("Use the browser") and the website needs JS to function (because it uses some PoW browser checking), so using Lynx or elinks as a sysadmin on a terminal-only machine in order to search for Python packages have been a no-no. Wonder how much it's due to similar phenomenon going on with Ruby and Node.js ecosystems.

Kat Marchán 🐈's avatar
Kat Marchán 🐈

@zkat@toot.cat

cross-posting my little rant about stuff here:

Random NPM thoughts of the day:

  1. The primary NPM registry should be obsoleted entirely ASAP
  2. JSR does not do anywhere near as much as it should, and it's probably too late to fix.
  3. A proper successor must only support "standard" JS, though temporarily accepting "strippable types" is ok rn
  4. All packages MUST be ESM (JSR ok here)
  5. MUST include docstrings on all publicly-reachable interfaces.
  6. MUST NOT include any type of dependency other than a named registry dependency with a semver version (no git deps etc)
  7. MUST have a non-trivial README.
  8. MUST be tied to a PUBLIC repo.
  9. MUST NOT have install scripts (yeah sorry, the fight's over)
  10. MUST clearly include a license, even if the license is "source available, not open source". This restriction MUST NOT limit to OSI's ridiculous list.
  11. MUST have a name that is scoped to its publishing user/org (@foo/bar)All of the above constraints MUST be checked at publish time.

Furthermore, the registry MUST provide the following, based on this:

  1. Full browsable (published) package sources, right on the site. With linkable paths. None of this absolute trash NPM decided to do.
  2. Autogenerated API docs.
  3. Lower-traffic packages that have not had a new version in 6 months should be completely delisted. They can be installed, with a warning printed.
  4. Usernames/org names and package names must employ a suitably-aggressive levenshtein distance for potential conflicts. This should be aggressive.
  5. Packages cannot be transferred between accounts, and it's against policy to allow others access to your personal account. Orgs can work around this.
  6. Top 1000 packages (maybe more) have all new publishes put on hold for 7 days, and placed into a public review queue, overridden by [tbd?staff?]
  7. Y'all aren't gonna like this but: package installation should be reasonably throttled. Both to keep costs down, and to encourage people to do something less lazy than "I'm just going to install all 2k dependencies on CI every time I push a docs change". It's wasteful and harmful for many reasons.

I think that's all I got off the top of my head for now.

There's honestly a lot of stuff that could be done on the client side to make life better, too, and y'all know I have a ton of thoughts on that, but I wanted to rant about registries for a bit, esp now that the NPM registry is crumbling.

Tane Piper's avatar
Tane Piper

@tanepiper@tane.codes

Oh no, not again... a meditation on supply chain attacks

tane.dev/2025/09/oh-no-not-aga

Tane Piper's avatar
Tane Piper

@tanepiper@tane.codes

Oh no, not again... a meditation on supply chain attacks

tane.dev/2025/09/oh-no-not-aga

derekheld's avatar
derekheld

@derekheld@infosec.exchange

A bunch of packages published by qix in NPM just got backdoored it looks like. Obfuscated code was added like two hours ago.

Emelia 👸🏻's avatar
Emelia 👸🏻

@thisismissem@hachyderm.io · Reply to Emelia 👸🏻's post

Also, npm now supports trusted publishing: docs.npmjs.com/trusted-publish

This means you don't need a static token in your CI/CD configuration anymore.

Emelia 👸🏻's avatar
Emelia 👸🏻

@thisismissem@hachyderm.io

Pro-tip for npm: rather than using a classic access token in your ~/.npmrc file, generate a granular access token that only has read permissions.

That way if something does compromise you, they only get access to the read token and cannot publish on your behalf.

derekheld's avatar
derekheld

@derekheld@infosec.exchange

A bunch of packages published by qix in NPM just got backdoored it looks like. Obfuscated code was added like two hours ago.

Ben Hardill's avatar
Ben Hardill

@ben@hardill.me.uk

Hmm, most of my GitHub CI jobs are failing because it appears NPM have added rate limiting.

Remind me again, who owns both NPM and GitHub these days?

Ben Hardill's avatar
Ben Hardill

@ben@hardill.me.uk

Hmm, most of my GitHub CI jobs are failing because it appears NPM have added rate limiting.

Remind me again, who owns both NPM and GitHub these days?

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

洪 民憙 (Hong Minhee)'s avatar
洪 民憙 (Hong Minhee)

@hongminhee@hollo.social

Introducing !

A simple, cross-runtime email library that works seamlessly on , .js, , and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.

Switch between , , without changing your code. Available on & !

https://upyo.org/

BastilleBSD :freebsd:'s avatar
BastilleBSD :freebsd:

@BastilleBSD@fosstodon.org

Are npm packages and dependencies an unmitigated disaster, or is it just me?

Alex0007's avatar
Alex0007

@Alex0007@mastodon.social

It's crazy that `graphql-depth-limit` (with its Git repository removed and not being updated for 8 years) has 750k weekly downloads, while the actual `@graphile/depth-limit` library (updated, typed, from a GraphQL maintainer) has only 400 downloads.

lil5 :golang: 🚲 🇳🇱's avatar
lil5 :golang: 🚲 🇳🇱

@lil5@social.linux.pizza

OptionVoters
Deno4 (57%)
Bun3 (43%)
skry's avatar
skry

@skry@mastodon.social

“slopsquatting, a new term for a surprisingly effective type of software supply chain attack that emerges when LLMs “hallucinate” package names that don’t actually exist. If you’ve ever seen an AI recommend a package and thought, “Wait, is that real?”—you’ve already encountered the foundation of the problem.

And now attackers are catching on.”

The Rise of Slopsquatting: How Hallucinations Are Fueling... socket.dev/blog/slopsquatting-

Edit: more info: bleepingcomputer.com/news/secu

skry's avatar
skry

@skry@mastodon.social

“slopsquatting, a new term for a surprisingly effective type of software supply chain attack that emerges when LLMs “hallucinate” package names that don’t actually exist. If you’ve ever seen an AI recommend a package and thought, “Wait, is that real?”—you’ve already encountered the foundation of the problem.

And now attackers are catching on.”

The Rise of Slopsquatting: How Hallucinations Are Fueling... socket.dev/blog/slopsquatting-

Edit: more info: bleepingcomputer.com/news/secu

Richie Khoo's avatar
Richie Khoo

@richiekhoo@hachyderm.io

Package Manager for Markdown

I'm working on a project that is intended to encourage folk to make markdown text files which can be bundled together in different bundles of text files using a package manager.

Question for coders; Which package manager would you suggest I use?

Main criterias (in order) are:

1. Easy for someone with basic command line skills to edit the file and update version numbers and add additional packages.

2. All being equal, more commonly and easy to setup is preferred.



Maho Pacheco 🦝🍻's avatar
Maho Pacheco 🦝🍻

@mapache@hachyderm.io

Rust cargo is the new npm-packages lol

Chee Aun 🤔's avatar
Chee Aun 🤔

@cheeaun@mastodon.social

Huh, Runkit has been gone for few months and npm pages are still linking to it github.com/orgs/community/disc

The forum is also filled with reports and spam discuss.runkit.com/ 😥

Deno's avatar
Deno

@deno_land@fosstodon.org

Are you still using npm transpile services like esm.sh and unpkg.com?
❌ dependency deduplication
❌ install hooks and native add-ons
❌ loading data files

Here's why we recommend importing npm packages natively via npm specifiers 👇

deno.com/blog/not-using-npm-sp

Inautilo's avatar
Inautilo

@inautilo@mastodon.social


SQL Noir · A game to learn SQL by solving crimes ilo.im/162ciw

_____

Inautilo's avatar
Inautilo

@inautilo@mastodon.social


SQL Noir · A game to learn SQL by solving crimes ilo.im/162ciw

_____

Emelia 👸🏻's avatar
Emelia 👸🏻

@thisismissem@hachyderm.io

Why does the npm user or organisation on npm have 64,788 packages?

Screenshot of the user or organisation profile for npm on the npm registry showing 64,788 packages all from different authors.
ALT text detailsScreenshot of the user or organisation profile for npm on the npm registry showing 64,788 packages all from different authors.
Deno's avatar
Deno

@deno_land@fosstodon.org

Are you still using npm transpile services like esm.sh and unpkg.com?
❌ dependency deduplication
❌ install hooks and native add-ons
❌ loading data files

Here's why we recommend importing npm packages natively via npm specifiers 👇

deno.com/blog/not-using-npm-sp

⚯ Michel de Cryptadamus ⚯'s avatar
⚯ Michel de Cryptadamus ⚯

@cryptadamist@universeodon.com · Reply to @reiver ⊼ (Charles) :batman:'s post

@reiver i built on to make a customizable feed algorithm that is pretty much how i interact with these days. it's available as an package.

here's the demo app: github.com/michelcrypt4d4mus/f

this is what the demo app looks like:

screenshot of fedialgo in action
ALT text detailsscreenshot of fedialgo in action
⚯ Michel de Cryptadamus ⚯'s avatar
⚯ Michel de Cryptadamus ⚯

@cryptadamist@universeodon.com · Reply to @reiver ⊼ (Charles) :batman:'s post

@reiver i built on to make a customizable feed algorithm that is pretty much how i interact with these days. it's available as an package.

here's the demo app: github.com/michelcrypt4d4mus/f

this is what the demo app looks like:

screenshot of fedialgo in action
ALT text detailsscreenshot of fedialgo in action
Szymon Standarski's avatar
Szymon Standarski

@standarski@mastodon.social

🚀 npm install vs. npm ci

• npm install: 📦 Installs dependencies from package.json, updates package-lock.json if needed. Flexible but slower.
• npm ci: ⚡ Clean, fast install based only on package-lock.json. Reproducible builds, perfect for CI/CD.

💡Tip: Use npm ci for consistent, reliable deployments! ✅

Szymon Standarski's avatar
Szymon Standarski

@standarski@mastodon.social

🚀 npm install vs. npm ci

• npm install: 📦 Installs dependencies from package.json, updates package-lock.json if needed. Flexible but slower.
• npm ci: ⚡ Clean, fast install based only on package-lock.json. Reproducible builds, perfect for CI/CD.

💡Tip: Use npm ci for consistent, reliable deployments! ✅

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 🤝️ Nuxt.js

docs.deno.com/examples/nuxt_tu

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 🤝️ Nuxt.js

docs.deno.com/examples/nuxt_tu

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 🤝️ Nuxt.js

docs.deno.com/examples/nuxt_tu

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 2.1.5 just landed —

▸ new QUIC API
▸ improved Discord.js compatibility
▸ better tasks support in workspaces

github.com/denoland/deno/relea

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 2.1.5 just landed —

▸ new QUIC API
▸ improved Discord.js compatibility
▸ better tasks support in workspaces

github.com/denoland/deno/relea

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 2.1.5 just landed —

▸ new QUIC API
▸ improved Discord.js compatibility
▸ better tasks support in workspaces

github.com/denoland/deno/relea

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 2.1.5 just landed —

▸ new QUIC API
▸ improved Discord.js compatibility
▸ better tasks support in workspaces

github.com/denoland/deno/relea

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno is committed to web standards - that's why we co-founded WinterCG two years ago. Today marks the next step in that journey: WinterCG moves to Ecma International as technical comittee 55 (TC55).

Goodbye WinterCG, welcome WinterTC!

deno.com/blog/wintertc

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno is committed to web standards - that's why we co-founded WinterCG two years ago. Today marks the next step in that journey: WinterCG moves to Ecma International as technical comittee 55 (TC55).

Goodbye WinterCG, welcome WinterTC!

deno.com/blog/wintertc

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 2.1.5 just landed —

▸ new QUIC API
▸ improved Discord.js compatibility
▸ better tasks support in workspaces

github.com/denoland/deno/relea

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno is committed to web standards - that's why we co-founded WinterCG two years ago. Today marks the next step in that journey: WinterCG moves to Ecma International as technical comittee 55 (TC55).

Goodbye WinterCG, welcome WinterTC!

deno.com/blog/wintertc

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno is committed to web standards - that's why we co-founded WinterCG two years ago. Today marks the next step in that journey: WinterCG moves to Ecma International as technical comittee 55 (TC55).

Goodbye WinterCG, welcome WinterTC!

deno.com/blog/wintertc

Deno's avatar
Deno

@deno_land@fosstodon.org

Thank you for your support in helping us reach 100,000 GitHub stars! ⭐️

github.com/denoland/deno

Deno's avatar
Deno

@deno_land@fosstodon.org

Thank you for your support in helping us reach 100,000 GitHub stars! ⭐️

github.com/denoland/deno

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno can now finally be installed through npm!

npm install -g deno

npx deno eval -p 1+2

npmjs.com/package/deno

tea 🌺's avatar
tea 🌺

@thomasreggi@indieweb.social

Would love thoughts and feedback on my Future / deferred promise library:

npmjs.com/package/@reggi/futur

Be kind ❤️

Deno's avatar
Deno

@deno_land@fosstodon.org

Easily check for outdated dependencies with `deno outdated` 👇️

docs.deno.com/runtime/referenc

Deno outdated will check for outdated dependencies.
ALT text detailsDeno outdated will check for outdated dependencies.
Deno's avatar
Deno

@deno_land@fosstodon.org

this wren wants to remind you that Deno permission flags have shorthands

deno.com/blog/v1.46#short-hand

deno permission flags have shorthands
ALT text detailsdeno permission flags have shorthands
Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 2.1 is out 🎉️
✈️️ first class Wasm support
🌳️ Long Term Support branch
⭐️ Improved dependency management
and much more!

deno.com/blog/v2.1

Angelika Cathor's avatar
Angelika Cathor

@angelikatyborska@mas.to

I wrote my thoughts on how to decide what's a regular dependency and what's a dev dependency in a JavaScript app (not library). It's surprisingly unclear... angelika.me/2024/11/11/depende

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno is a JavaScript package manager with more flexibility:
📦️ npm and JSR
🛠️️ package.json and deno.json
👟️ fast

deno.com/blog/your-new-js-pack

Deno's avatar
Deno

@deno_land@fosstodon.org

The 🦕️ is out of the bag...

youtube.com/watch?v=pcC4Dr6Wj2

Deno's avatar
Deno

@deno_land@fosstodon.org

Curious about how the JSR logo and website design came together? 🤔️

Here's a 👀️ into our design process.

deno.com/blog/designing-jsr

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno 1.46 is not only the last 1.x release, but also one of the biggest:
- Simpler CLI
- Multi-threaded web servers
- HTML, CSS, YAML support in `deno fmt`
- Better Node/npm compat (support for playwright, google-cloud, etc.)
and much more 👇️

deno.com/blog/v1.46

Deno's avatar
Deno

@deno_land@fosstodon.org

Deno is known for its HTTP imports, but we've found it's insufficient for larger projects. This post explains the situation and how we've improved it.

deno.com/blog/http-imports

Deno's avatar
Deno

@deno_land@fosstodon.org

std/data-structures, common data structures including red-black trees and binary heaps, is now stabilized at v1 on JSR

jsr.io/@std/data-structures

Fedify: ActivityPub server framework's avatar
Fedify: ActivityPub server framework

@fedify@hollo.social

The fedify command is now available on ! You can install it using the following command:

npm install -g @fedify/cli

Or if you use :

bun install -g @fedify/cli

https://www.npmjs.com/package/@fedify/cli

NosirrahSec 🏴‍☠️'s avatar
NosirrahSec 🏴‍☠️

@NosirrahSec@infosec.exchange

CVE-2023-49210 - node-openssl, this sounds like a malicious node package and it's just now popping in Defender Vulnerability Management inventories.

Did we miss some big story about this or is this just a case of the NVD backlog catching up and thus downstream ingestion of that information is just now making it to the masses?

I figured a malicious OSS package/update getting put into the ecosystem would be a hot article after the debacle.

Anyone got better info than I do after doing some hunting? All I have are the initial detections from 3rd parties in November of 2023.