sortedmy23m ago

node-weight v1.0 is live on npm!

One table: size + security vulns + age for every npm dep in your project.

npx node-weight

https://www.npmjs.com/package/node-weight

#npm #nodejs #security #devtools

node-weight

See the size, security risk, and age of every npm dependency in one table. Latest version: 1.0.0, last published: an hour ago. Start using node-weight in your project by running `npm i node-weight`. There are no other projects in the npm registry using node-weight.

npm
Socket4h ago

🧨 Axios only needed to be resolved somewhere in your dependency graph to affect you.

Semver + transitive deps + runtime installs = hidden blast radius.

If you only checked your project’s lockfile, you may still not know.

https://socket.dev/blog/hidden-blast-radius-of-the-axios-compromise #nodejs

The Hidden Blast Radius of the Axios Compromise - Socket

The Axios compromise shows how time-dependent dependency resolution makes exposure harder to detect and contain.

Socket
Aral Balkan8h ago

🥳 New JavaScript Database (JSDB) release

• Fix: Now properly handling array indices on `JSTable.PERSIST` events in the `keypath` property that’s passed to the event handler.

Just noticed that the pretty keypaths of the JavaScript deltas written to the append-only log were ignoring array indices while playing with a new database introspection call I’m adding to the Kitten Interactive Shell (REPL) and fixed it.

I’ll be updating Kitten shortly to use this version of JSDB and I haven’t forgotten my promise to record a little video of the new Kitten Introspection API.

Enjoy!

💕

https://codeberg.org/small-tech/jsdb#readme

#JavaScriptDatabase #javascript #database #JSDB #SmallTech #SmallWeb #NodeJS

Rad Web Hosting9h ago

🚀 How to Deploy #Directus on #Ubuntu #VPS

This guide details the steps required to deploy Directus on Ubuntu VPS server. Our guide walks through deploying Directus on a fresh Ubuntu VPS with PostgreSQL, PM2, and Nginx.
What is Directus?
Directus is an open-source headless CMS and data platform that sits on top of a SQL database (like PostgreSQL or MySQL) and ...
Continued 👉 https://blog.radwebhosting.com/deploy-directus-on-ubuntu-vps/?utm_source=mastodon&utm_medium=social&utm_campaign=mastodon.social #selfhosting #cmsapps #opensource #selfhosted #nodejs #headlesscms #contentmanagement

codeinabox15h ago

A gentle intro to npm workspaces, with visuals

https://programming.dev/post/48114676

A gentle intro to npm workspaces, with visuals - programming.dev

Lemmy

knoppix16h ago

Axios versions 1.14.1 and 0.30.4 were compromised via a malicious npm dependency, deploying a cross-platform RAT on Windows, macOS, and Linux. Users must downgrade and rotate credentials to maintain control over their environments ⚠️

🔗 https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html

#TechNews #Axios #npm #SupplyChainAttack #Attack #Hacking #Hackers #Cybersecurity #OpenSource #FOSS #RemoteAccessTrojan #Trojan #Malware #NodeJS #Security #DevSecOps #IT #Software #Privacy #RAT #Windows #Linux #macOS

Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

Axios 1.14.1 and 0.30.4 injected malicious [email protected] after npm compromise on March 31, 2026, deploying cross-platform RAT malware.

The Hacker News
kalvn18h ago

La très populaire librairie axios (téléchargée environ 100 000 000 de fois par semaine !) a été victime d'un hack (supply chain attack), heureusement détecté relativement rapidement.

🔗 https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

#NodeJS #npm #lib #hack #sécurité

axios Compromised on npm - Malicious Versions Drop Remote Access Trojan - StepSecurity

Hijacked maintainer account used to publish poisoned axios releases including 1.14.1 and 0.30.4. The attacker injected a hidden dependency that drops a cross platform RAT. We are actively investigating and will update this post with a full technical analysis.

Show threaddata01d ago
@andrewnez I'd really like to hear your thoughts on #npm in general. Was it really a terrible idea to let a private company run it? Shouldn't it have been bundled into #Nodejs? Would npm have just disappeared if someone like Bogensberger hadn't carved it up and sold it to GitHub/Microsoft? Fair play to Microsoft for footing the hosting bill, but look at the commit history. They're basically leaving it out to dry. Where to go from here? OpenJS? How does it all compare to other package registries?
Jeremiah Lee1d ago

RE: https://techhub.social/@Techmeme/116322870856344339

Why do people use Axios instead of the native Fetch API in 2026?

#NodeJS #JS #webDev

Taffer 🇨🇦1d ago

Another day, another npm supply chain attack. https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

#NodeJS #npm #Security #SupplyChain

axios Compromised on npm - Malicious Versions Drop Remote Access Trojan - StepSecurity

Hijacked maintainer account used to publish poisoned axios releases including 1.14.1 and 0.30.4. The attacker injected a hidden dependency that drops a cross platform RAT. We are actively investigating and will update this post with a full technical analysis.