Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
rfcs
-
Ruby Shield: Shopify donates $1M to stewards of rubygems, bundler
I can give a limited answer based on my own day-to-day work. I work in Ruby Dependency Security, which is the team who are most involved in helping out with rubygems.org and RubyGems work. Our biggest effort lately has been about rolling out MFA requirements for owners of top-most-downloaded gems. What I'd like to do afterwards is focus on gem signing using sigstore, which would make it a "one click" experience for authors. We did some work on it earlier this year[0] but chose to focus on MFA as our first big push. We also aim to devote a substantial fraction of our time to chopping wood and carrying water: looking at honeybadger exception reports, etc.
In terms of the long run there's a whole bunch that can be done to continuously harden every aspect of the Ruby supply chain. One thing we've been involved in founding is the OpenSSF Securing Software Repos working group[1], which has meant that RubyGems maintainers are now talking directly with folks from PyPI, npm, Maven Central, Cargo and others. We all face shared threats (eg, dependency confusion, resurrection attacks etc), so getting together to work collectively and share ideas has been super awesome.
[0] https://github.com/rubygems/rfcs/pull/37
[1] https://github.com/ossf/wg-securing-software-repos
-
Making popular Ruby packages more secure
That’s correct. If you’re a maintainer of a very popular gem, as of 15th August you’ll no longer be able to e.g. `gem push` if you haven’t enabled MFA on your RubyGems account. You will of course still be able to log in and enable it.
More details in the RFC: https://github.com/rubygems/rfcs/blob/master/text/0007-mfa-r...
-
NPM Vulnerability Discussion on Twitter
> < 10% had useful 2FA enabled.
I expect this to change. NPM will roll out mandatory MFA for the most-downloaded packages[0] (RubyGems as well[1]). I expect this will rise to a 100% requirement at some point because Github's decision to require MFA by the end of 2023 will massively raise the waterline of folks who have the capability to MFA and experience with MFA.
[0] https://github.blog/2021-11-15-githubs-commitment-to-npm-eco...
[1] https://github.com/rubygems/rfcs/issues/35
-
Sigstore
The RFC trying to introduce sigstore for RubyGems is an interesting look at this in practice: https://github.com/rubygems/rfcs/pull/37
- RFC for Sigstore Rubygems Signing
- RFC: Proposal for new signing mechanism
- Require MFA for most-used gems [RubyGems RFC]
npm
-
XML is better than YAML
The fact that JSON doesn't support comments is so annoying, and I always thought that Douglas Crockford's rationale for this basically made no sense ("They can be misused!" - like, so what, nearly anything can be misused. So without support for comments e.g. in package.json files I have to do even worse hacky workaround bullshit like "__some_field_comment": "this is my comment"). There is of course jsonc and JSON5 but the fact that it's not supported everywhere means 10 years later we still can't write comments in package.json (there is https://github.com/npm/npm/issues/4482 and about a million related issues).
-
Jest not recommended to be used in Node.js due to instanceOf operator issues
Things like the sparkline charts on npmjs (e.g. https://www.npmjs.com/package/npm ) are interactive SVGs. I think they're pretty common for data visualizations of all kinds
-
JavaScript registry NPM vulnerable to 'manifest confusion' abuse
I actually did a POC 7 years ago about this - https://github.com/tanepiper/steal-ur-stuff
It was reported to npm at the time, but they chose to ignore it - https://github.com/npm/npm/issues/17724
-
I'm a Teapot
Every time this pops up, I'm reminded of the day that the NPM registry started returning 418 responses.
I remember being at a training course that day and my manager asking me what we could do to fix it because our CI was failing to pull dependencies from NPM.
Trying to explain that NPM was returning a status code intended as an April Fools joke and which was never meant to see the light of production was quite difficult
https://github.com/npm/npm/issues/20791
-
Dissecting Npm Malware: Five Packages And Their Evil Install Scripts
I should really get around to how I discovered this 6 years ago and still nothing done about it
-
Attackers are hiding malware in minified packages distributed to NPM
Whenever something like this comes up I usually have to tap the sign (and the original report)
-
NPM Vs PNPM
NPM is not "Node Package Manager". https://www.npmjs.com/package/npm
-
A not so unfortunate sharp edge in Pipenv
> which can be overriden with env setting
Support for this is not great. Lots of packages still don't support this properly. My experience matches the 2015 comment https://github.com/npm/npm/issues/775#issuecomment-71294085
> Not sure why "symlinks" would be involved.
If you make your node_modules a symlink, multiple packages will fail. Even if you're not interested in doing that, others are.
> What NPM does is leaps and bounds ahead
Unless you change your node / gyp version. It doesn't really have a concept of runtime version. You can restrict it, but not have two concurrent versions if they conflict.
-
Front-end Guide
[email protected] was released in May 2017 and it seems to address many of the issues that Yarn aims to solve. Do keep an eye on it!
-
Framework axios pushed a broken update, crippling thousands of websites
I think it's had been supposed to do that since forever. Apart from some bug in npm 5.3. Are you sure your package-lock versions actually conform to the semver ranges in your package.json?
What are some alternatives?
sigstore-website - Codebase for sigstore.dev
pnpm - Fast, disk space efficient package manager
harden-runner - Network egress filtering and runtime security for GitHub-hosted and self-hosted runners
corepack - Zero-runtime-dependency package acting as bridge between Node projects and their package managers
enquirer - Stylish, intuitive and user-friendly prompts, for Node.js. Used by eslint, webpack, yarn, pm2, pnpm, RedwoodJS, FactorJS, salesforce, Cypress, Google Lighthouse, Generate, tencent cloudbase, lint-staged, gluegun, hygen, hardhat, AWS Amplify, GitHub Actions Toolkit, @airbnb/nimbus, and many others! Please follow Enquirer's author: https://github.com/jonschlinkert
spm
rubygems - Library packaging and distribution for Ruby.
yarn - The 1.x line is frozen - features and bugfixes now happen on https://github.com/yarnpkg/berry
package-analysis - Open Source Package Analysis
Bower - A package manager for the web
wg-securing-software-repos - OpenSSF Working Group on Securing Software Repositories
jspm