Secure-Supply-Chain
rfcs
| Secure-Supply-Chain | rfcs | |
|---|---|---|
| 2 | 35 | |
| 27 | 718 | |
| - | 0.6% | |
| 1.8 | 5.7 | |
| over 2 years ago | 2 days ago | |
| JavaScript | ||
| MIT License | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Secure-Supply-Chain
- Microsoft Secure-Supply-Chain – Improving OSS Provenance
-
NPM package ‘ua-parser-JS’ with more than 7M weekly download is compromised
Semi-related: Microsoft is going to be (or has begun) checking for differences between published npm packages and their source control.
I got a PR in my repository a few days ago leading back to a team trying to make it easier for packages to be reproducible from source https://github.com/microsoft/Secure-Supply-Chain
rfcs
-
Yarn 4.0
npm workspaces plus Wireit works far better than Lerna, in my experience.
https://github.com/google/wireit
Wireit's ability to specify actual script dependencies, do caching (and on Github actions), and it's long-running service script support make it much more useful and comprehensive than Lerna.
I agree that this should be built into npm. There's an RRFC for it here: https://github.com/npm/rfcs/issues/706
-
NPM vs Yarn?
It's coming https://github.com/npm/rfcs/blob/main/accepted/0042-isolated-mode.md
-
How do you know that the .exe or .apk file for an open source software on github is actually compiled from the viewable source code?
This just got accepted as a proposal in NPM: https://github.com/npm/rfcs/pull/626
-
Why aren't Node.js package managers interoperable?
npm also plans to support pnpm-style node_modules
-
Axios shipped a buggy version and it broke many productions apps. Let this be a lesson to pin your dependencies!
(I usually end up removing npm ci from CI/CD since I think it is way too slow and want to cache node_modules from previous builds; I'm waiting for https://github.com/npm/rfcs/issues/415 to land to make this fail-safe npm install --from-lockfile. Yarn does support this already)
- How to run multiple NPM commands simultaneously using concurrently
- [RRFC] Parallel script execution when value is set to an array of text. · Issue #610 · npm/rfcs
- Lerna has gone. Which Monorepo is right for a Node.js BACKEND now?
- NPM introduces a new Dependency Selector Syntax
-
How to respond to growing supply chain security risks?
I started following this problem from the discussion at npm about making install scripts opt-in. But install scripts are not the only threat, there are more ways for malicious actors:
What are some alternatives?
goggles.mozilla.org - Update: This project is no longer maintained and has been archived. See https://foundation.mozilla.org/blog/putting-away-our-x-ray-goggles/ for more information.
vm2 - Advanced vm/sandbox for Node.js
handlebars-helpers - 188 handlebars helpers in ~20 categories. Can be used with Assemble, Ghost, YUI, express.js etc.
pnpm - Fast, disk space efficient package manager
ua-parser-js - UAParser.js - Free & open-source JavaScript library to detect user's Browser, Engine, OS, CPU, and Device type/model. Runs either in browser (client-side) or node.js (server-side).
corepack - Zero-runtime-dependency package acting as bridge between Node projects and their package managers
Cargo - The Rust package manager
GHSA-g2q5-5433-rhrf
feedback - Public feedback discussions for npm
SES-shim - Endo is a distributed secure JavaScript sandbox, based on SES
npm-workspaces-demo
node-ffi-napi - A foreign function interface (FFI) for Node.js, N-API style