rfcs
enquirer
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
rfcs
-
Ruby Shield: Shopify donates $1M to stewards of rubygems, bundler
I can give a limited answer based on my own day-to-day work. I work in Ruby Dependency Security, which is the team who are most involved in helping out with rubygems.org and RubyGems work. Our biggest effort lately has been about rolling out MFA requirements for owners of top-most-downloaded gems. What I'd like to do afterwards is focus on gem signing using sigstore, which would make it a "one click" experience for authors. We did some work on it earlier this year[0] but chose to focus on MFA as our first big push. We also aim to devote a substantial fraction of our time to chopping wood and carrying water: looking at honeybadger exception reports, etc.
In terms of the long run there's a whole bunch that can be done to continuously harden every aspect of the Ruby supply chain. One thing we've been involved in founding is the OpenSSF Securing Software Repos working group[1], which has meant that RubyGems maintainers are now talking directly with folks from PyPI, npm, Maven Central, Cargo and others. We all face shared threats (eg, dependency confusion, resurrection attacks etc), so getting together to work collectively and share ideas has been super awesome.
[0] https://github.com/rubygems/rfcs/pull/37
[1] https://github.com/ossf/wg-securing-software-repos
-
Making popular Ruby packages more secure
That’s correct. If you’re a maintainer of a very popular gem, as of 15th August you’ll no longer be able to e.g. `gem push` if you haven’t enabled MFA on your RubyGems account. You will of course still be able to log in and enable it.
More details in the RFC: https://github.com/rubygems/rfcs/blob/master/text/0007-mfa-r...
-
NPM Vulnerability Discussion on Twitter
> < 10% had useful 2FA enabled.
I expect this to change. NPM will roll out mandatory MFA for the most-downloaded packages[0] (RubyGems as well[1]). I expect this will rise to a 100% requirement at some point because Github's decision to require MFA by the end of 2023 will massively raise the waterline of folks who have the capability to MFA and experience with MFA.
[0] https://github.blog/2021-11-15-githubs-commitment-to-npm-eco...
[1] https://github.com/rubygems/rfcs/issues/35
-
Sigstore
The RFC trying to introduce sigstore for RubyGems is an interesting look at this in practice: https://github.com/rubygems/rfcs/pull/37
- RFC for Sigstore Rubygems Signing
- RFC: Proposal for new signing mechanism
- Require MFA for most-used gems [RubyGems RFC]
enquirer
-
GitHub Sponsors: Jon Schlinkert JavaScript developer
jonschlinkert (Jon Schlinkert) · GitHub
-
For achieving the widest adoption among Windows users, which commonly used scripting language would be best suited for a CLI program?%
Although I'm happy there is a way to bundle Node.js apps with support for pnpm, and for a modern-ish version of Node.js, it's somewhat slow in my experience to build locally. Interactivity doesn't have the greatest ecosystem there, especially with TypeScript. Best library I've found is Enquirer.
-
💡 Generate package.json From GitHub
{ "name": "@jonschlinkert/omit-deep", "description": "Recursively omit specified keys from an object", "tags": ["object", "deep", "remove", "omit"], "version": "0.3.0", "author": "Jon Schlinkert (https://github.com/jonschlinkert)", "repository": "jonschlinkert/omit-deep", "bugs": "https://github.com/jonschlinkert/omit-deep/issues", "license": "MIT" }
-
Using generators to improve developer productivity
In case you need to ask for user input, optionally you can use a prompt file. This is very useful to customize the output of the generator. Prompts are defined using a library named Enquirer.
-
NPM Vulnerability Discussion on Twitter
> I don't fully understand why packages like this are so popular.
It actually works like this: Author X develops `iseven`, `isodd`, etc. No one really downloads such packages. Author X then develops `importantPackage` which does do something useful developers out here download. Now `iseven`, `isodd` are downloaded alongside `importantPackage`.
My point is, we should recognize certain NPM authors as toxic, but I guess "freedom of speech/code" stops us from doing so. Example of such an author: https://github.com/jonschlinkert/
-
Call for Deno module ideas
something like enquirer
-
I will pay you cash to delete your npm module
You're thinking of Jon Schlinkert, publisher of 1435 packages on npm.
-
NPM – is-even, 160k weekly downloads
It's insanely funny to me that these packages exist while one of his bigger projects (https://github.com/enquirer/enquirer) lists the following reason under "why use it":
> Lightweight - Only one dependency, the excellent ansi-colors by Brian Woodward.
-
BREAKING!! NPM package ‘ua-parser-js’ with more than 7M weekly download is compromised
It's written by this guy, who shits out micro libraries by the hundreds. He moved the project to another user under the pretense that he was learning to program back then, but a lot of his stuff is similarly inconsequential micro libraries.
- NPM Audit: Broken by Design
What are some alternatives?
sigstore-website - Codebase for sigstore.dev
prompts - ❯ Lightweight, beautiful and user-friendly interactive prompts
harden-runner - Network egress filtering and runtime security for GitHub-hosted and self-hosted runners
oclif - CLI for generating, building, and releasing oclif CLIs. Built by Salesforce.
npm
deno - A modern runtime for JavaScript and TypeScript.
rubygems - Library packaging and distribution for Ruby.
deno-puppeteer - A port of puppeteer running on Deno
package-analysis - Open Source Package Analysis
ua-parser-js - UAParser.js - Free & open-source JavaScript library to detect user's Browser, Engine, OS, CPU, and Device type/model. Runs either in browser (client-side) or node.js (server-side).
wg-securing-software-repos - OpenSSF Working Group on Securing Software Repositories
terminalizer - 🦄 Record your terminal and generate animated gif images or share a web player