SocketWe're excited to announce that Socket is joining the @openjsf Proud to support the #JavaScript ecosystem alongside so many great projects and contributors.
Jordan Harband
@ljharb
- 397 Followers
- 353 Following
- 74 Posts
nvm.sh users: please upgrade to https://github.com/nvm-sh/nvm/releases/tag/v0.40.4 if you're using `wget` on your system, to fix a medium vulnerability (https://github.com/nvm-sh/nvm/security/advisories/GHSA-4fc5-r4vr-8rp7).
I made a new thing! like the semver package, but for PURLs: https://www.npmjs.com/package/purl
`npx purl $specifier` or `npx purl $purl` will validate, normalize, and provide parse info.
add `--check` & it'll contact the relevant registry & verify the package and version exist.
(you can import it too)
I made something new: an eslint plugin to validate your npm ecosystem lockfiles! It supports npm, pnpm, yarn, bun, and vlt, and it's already helped find a supply chain security attack vector inside a fortune 500 tech company. https://www.npmjs.com/package/eslint-plugin-lockfile
You can also run the eslint rule as a standalone CLI! `npx lintlock` / https://www.npmjs.com/package/lintlock
(all written in ESM, all with minimal deps, all supporting only modern node, for those that care about that sort of thing)
OH at GitHub Universe day 0, in a session on “beyond the bus factor”, discussing accidental leadership: “you didn’t choose the maintainer life…”
also, v5.0.0, which got the same treatment. I assume this was from a pre-existing session and one of npm’s publish servers hadn’t caught up yet - tokens are disallowed (on virtually all my packages)
Heads up that v3.3.1 of https://npmjs.com/is has malware in it, due to another maintainer’s account being hijacked. They’re removed for now, v3.3.0 is set at latest, v3.3.1 is deprecated, and a v3.3.2 will be published once I’m not on my phone (thx @github codespaces)
Exciting news for me and @nodejs today (ノ◕ヮ◕)ノ*:・゚✧
- https://github.com/nodejs/node/issues/55918
- https://github.com/nodejs/node/pull/56132
Nick Wright1993: I use BBSes for online interaction. Each BBS is run by some random person. They connect to a federated worldwide network. I keep my notes in .TXT files.
2008-2022: I use social networks like Facebook and Twitter for online interaction. They're huge and popular. I use Evernote for my notes, which is full of features.
2023: I use Mastodon for online interaction. Each instance is run by some random person. They connect to a federated worldwide network. I keep my notes in .TXT files.
Salve J. NilsenWatching recordings of @tidelift's #Upstream conference, and I'm seeing lots of interesting #OpenSource #Security topics there.
One early highlight in https://youtu.be/WFo57yIzZ-Q?t=1248 is @ljharb reminding us businesses already have fiduciary responsibility to their shareholders for investing in their #FOSS infrastructure so it is sustainable.
THANK YOU! This is a super important message and bears repeating. But it's not enough!
Some projects need contributions, time and attention more than funding!
