javascript-clients
rfcs
| javascript-clients | rfcs | |
|---|---|---|
| 5 | 39 | |
| 4 | 768 | |
| - | 0.3% | |
| - | 5.8 | |
| 16 days ago | 9 days ago | |
| TypeScript | JavaScript | |
| Apache License 2.0 | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
javascript-clients
-
Red Hat packages backdoored through its official NPM channel
List of affected packages: https://github.com/RedHatInsights/javascript-clients/issues/...
- npm Supply Chain Attacks, Pixel/Exynos Zero-Days, and Instagram Account Takeovers
- 31 paquetes npm de Red Hat comprometidos roban credenciales de nube
-
NPM packages from RedHat have been compromised
This repository itself had to previously update from the axios supply chain attack [0] (co-authored by Claude lol). But just by looking at the change itself, the package is unpinned and won't solve the problem if it happens again as a illegitimate "security update".
So if you have an unpinned version of this package and you run 'npm install', you immediately downloaded the compromised version and that's that.
[0] https://github.com/RedHatInsights/javascript-clients/commit/...
rfcs
-
NPM packages from RedHat have been compromised
> they've taken no action.
Not running lifecycle scripts by default is eventually going to be the default behavior. Late is worse than not at all. https://github.com/npm/rfcs/pull/868
-
Pnpm has a new setting to stave off supply chain attacks
There was an NPM RFC for this feature (though as focused on supply chain attacks) in 2022, but the main response mirrored some of the other comments in here.
"waiting a length of time doesn’t increase security, and if such a practice became common then it would just delay discovery of vulnerabilities until after that time anyways"
https://github.com/npm/rfcs/issues/646#issuecomment-12824971...
-
My failed attempt to shrink all NPM packages by 5%
I think the main TLDR here [1]:
> For example, I tried recompressing the latest version of the typescript package. GNU tar was able to completely compress the archive in about 1.2 seconds on my machine. Zopfli, with just 1 iteration, took 2.5 minutes.
[1] https://github.com/npm/rfcs/pull/595#issuecomment-1200480148
-
Yarn 4.0
npm workspaces plus Wireit works far better than Lerna, in my experience.
https://github.com/google/wireit
Wireit's ability to specify actual script dependencies, do caching (and on Github actions), and it's long-running service script support make it much more useful and comprehensive than Lerna.
I agree that this should be built into npm. There's an RRFC for it here: https://github.com/npm/rfcs/issues/706
-
NPM vs Yarn?
It's coming https://github.com/npm/rfcs/blob/main/accepted/0042-isolated-mode.md
-
How do you know that the .exe or .apk file for an open source software on github is actually compiled from the viewable source code?
This just got accepted as a proposal in NPM: https://github.com/npm/rfcs/pull/626
-
Why aren't Node.js package managers interoperable?
npm also plans to support pnpm-style node_modules
-
Axios shipped a buggy version and it broke many productions apps. Let this be a lesson to pin your dependencies!
(I usually end up removing npm ci from CI/CD since I think it is way too slow and want to cache node_modules from previous builds; I'm waiting for https://github.com/npm/rfcs/issues/415 to land to make this fail-safe npm install --from-lockfile. Yarn does support this already)
- How to run multiple NPM commands simultaneously using concurrently
- [RRFC] Parallel script execution when value is set to an array of text. · Issue #610 · npm/rfcs
What are some alternatives?
pgpverify-maven-plugin - Verify Open PGP / GPG signatures plugin
SES-shim - Endo is a distributed secure JavaScript sandbox, based on SES
platform-frontend-ai-toolkit - A set of helpful coding AI tooling for frontend development
node-ipc - A nodejs module for local and remote Inter Process Communication (IPC), Neural Networking, and able to facilitate machine learning.
package-manager-hardening - A non-exhaustive list of package manager hardening recommendations to help prevent supply chain vulnerability attacks. Includes AGENTS.md files and skills to enforce these recommendations.
vm2 - Advanced vm/sandbox for Node.js