Mikeal and Chris welcome (back) special guest Fred K. Schott, who you may recall from our episode on Pika. This time, we’re talking ESM: what it is, what’s new about it, why it’s the future, writing libraries with it, and much more.
The npm ecosystem seems unwell. If you are concerned with security, reliability, or long-term maintenance, it is almost impossible to pick a suitable package to use — both because there are 1.3 million packages available, and even if you find one that is well documented and maintained, it might depend on hundreds of other packages, with dependency trees stretching ten or more levels deep — as one developer, it’s impossible to validate them all.
He then spends some time measuring the extent of the problem.
This.. is a bit of a bombshell:
Software is eating the world. Meanwhile, Microsoft is eating the software world… one acquisition at a time.
A severe security vulnerability impacted all popular npm package managers: npm, yarn and pnpm and even triggered a release for Node.js 12.4.0. What is behind this vulnerability and why is it so important for us to understand? I wrote about it in a post that also explains how npm handles executables.
Jerod and Divya welcome npm CTO Ahmad Nassri to discuss modular architecture. What it is, why it matters, and how you can achieve it. Ahmad has been thinking deeply about this topic lately and we have a very fruitful discussion that should have takeaways for developers of all experience levels.
As of npm 6.13, maintainers can add a funding field to their
package.json (which works very much like GitHub’s
FUNDING.yml) and users can run
npm fund to see how they can support their dependency authors.
Darcy Clarke had this to say about the feature on npm’s blog:
Post install you will now see output that describes the number of packages that have defined funding information. You can opt-out of this prompt by using the –no-fund flag if you so choose.
At the end of August, we made a promise to the community to invest time & effort to better support package maintainers. This work is just the first, small step toward creating a means/mechanism for a more sustainable open source development ecosystem.
shoulders is a simple script that lists open issues of your project’s open source dependencies. Simply run it inside of a JS project:
Modern software is built on the shoulders of giants—take a moment to contribute back 💛
Bryan Bogensberger (CEO of npm) writes on npm blog:
Over the past couple of years, we’ve observed a number of models emerging that enable a path towards sustainability for Open Source maintainers. Most notably: OpenCollective & GitHub Sponsors. We at npm are in full support of both these initiatives, and intend to collaborate further with these organizations.
Now we are ready to invite the community’s most active contributors and the biggest enterprise consumers of public open source code to a working group to finalize the platform’s definition.
Send questions/comments to firstname.lastname@example.org, or discuss your thoughts right here.
Jerod, Feross, and Nick discuss the latest npm security fiasco, opine on the strengths and weaknesses of spreadsheets, explain CORS like they’re 5 (sorta), and give shout outs to deserving purveyors of fine software.
I’d like to know what the current sentiment is towards npm after this settlement. Can they mend these community fences? Or, are you more hopeful of the “development of alternative technologies” as mentioned in this post?
The npm team is collaborating with GitHub on a new service that will automatically check for tokens that might have been accidentally pushed up to a repository and then automatically revoke them if they are valid. This will help to quickly mitigate attack vectors that might arise from the accidental oversharing of credentials for projects. From the post:
Whenever you commit or push a change to GitHub in a public repository and an npm token is found in the change, it is sent to npm for validation. If it’s valid, we will revoke it and notify the maintainer of this action via email.
By one account, former npm CTO C J Silverio’s talk “rocked JS Conf EU over the weekend”. If you know some of the history and are already familiar with the challenges of centralization, scrub to the end for the BIG announcement.
- Avoid publishing secrets to the npm registry
- Enforce the lockfile
- Minimize attack surfaces by ignoring run-scripts
- Assess npm project health
- Audit for vulnerabilities in open source dependencies
Click through for those tips plus 5 more and a downloadable cheat sheet. Good stuff 👍
Install npm dependencies that run natively in the browser… without a bundler!
In this post, Isaac shares some backstory and details about this transition:
Today, I’m happy to introduce Bryan Bogensberger as npm, Inc.’s CEO. He brings a wealth of experience in Open Source and a ton of excitement and expertise to help grow npm to the next level and beyond. Commercializing something like this without ruining it is no small task, and building the team to deliver on npm’s promise is a major undertaking. We’ve sketched out a business plan and strategy for the next year, and will be announcing some other key additions to the team in the coming months.
Meanwhile, I’ve taken on the title of Chief Product Officer and I will be spending my time focused on the part of the problem that I love.
See what happens when a rogue evil dependency explores ways to attack the developer, server, the end user, plus other examples.
Jake Archibald recently experienced a small hack (break-in) on an old website. As a thought exercise, he explored various scenarios with the kind of “powers an evil dependency could have, and what, if anything, could be done to prevent it.” Jake went on to say, …
It’s been terrifying to think this through, and this is just for a static site. … For sites with a server component and database, it feels negligent to use packages you haven’t audited. With Copay, we’ve seen that attacks like this aren’t theoretical, yet the auditing task feels insurmountable.
If you already know what save-exact, npm ci, npm audit fix, npx, updtr, and NVM_SYMLINK_CURRENT do, maybe skip this post. If not, check it out!
Adam and Jerod talk with Dominic Tarr, creator of event-stream, the IO library that made recent news as the latest malicious package in the npm registry. event-stream was turned malware, designed to target a very specific development environment and harvest account details and private keys from Bitcoin accounts.
They talk through Dominic’s backstory as a prolific contributor to open source, his stance on this package, his work in open source, the sequence of events around the hack, how we can and should handle maintainer-ship of open source infrastructure over the full life-cycle of the code’s usefulness, and what some best practices are for moving forward from this kind of attack.
Contribute your insights to the 2018 npm survey and help to evolve and improve tools, services, and the ecosystem.
Do you have packagephobia? Maybe you should… If you don’t, you just might after using this tool:
Package Phobia reports the size of an npm package before you install it. This is useful for inspecting potential dependencies or devDependencies without using up precious disk space or waiting minutes for npm install. Ain’t nobody got time for dat.