Jordan Harband

@ljharb
397 Followers
353 Following
74 Posts
software engineer/nerd/teacher/will try anything once; surgeon with git rebase. @TC39 ex @Coinbase @Airbnb @twitter @MobBase. Fav punctuation ⸮, scent petrichor.
Jordan HarbandFeb 19
SocketFeb 19

We're excited to announce that Socket is joining the @openjsf Proud to support the #JavaScript ecosystem alongside so many great projects and contributors.

https://socket.dev/blog/socket-joins-openjs-foundation

Socket Joins the OpenJS Foundation - Socket

Socket is proud to join the OpenJS Foundation as a Silver Member, deepening our commitment to the long-term health and security of the JavaScript ecos...

Socket
Jordan HarbandJan 29
nvm.sh users: please upgrade to https://github.com/nvm-sh/nvm/releases/tag/v0.40.4 if you're using `wget` on your system, to fix a medium vulnerability (https://github.com/nvm-sh/nvm/security/advisories/GHSA-4fc5-r4vr-8rp7).
Release v0.40.4 · nvm-sh/nvm

Bug Fixes sanitize NVM_AUTH_HEADER in wget path nvm_has_colors: also check if stdout is a terminal nvm_strip_path: avoid gawk-specific RT variable for mawk compatibility nvm_get_default_packages: ...

GitHub
Jordan HarbandJan 9

I made a new thing! like the semver package, but for PURLs: https://www.npmjs.com/package/purl

`npx purl $specifier` or `npx purl $purl` will validate, normalize, and provide parse info.

add `--check` & it'll contact the relevant registry & verify the package and version exist.

(you can import it too)

Jordan HarbandDec 22

I made something new: an eslint plugin to validate your npm ecosystem lockfiles! It supports npm, pnpm, yarn, bun, and vlt, and it's already helped find a supply chain security attack vector inside a fortune 500 tech company. https://www.npmjs.com/package/eslint-plugin-lockfile

You can also run the eslint rule as a standalone CLI! `npx lintlock` / https://www.npmjs.com/package/lintlock

(all written in ESM, all with minimal deps, all supporting only modern node, for those that care about that sort of thing)

Jordan HarbandOct 27
OH at GitHub Universe day 0, in a session on “beyond the bus factor”, discussing accidental leadership: “you didn’t choose the maintainer life…”
Show threadJordan HarbandOct 14
@dckc @openwebdocs hardened JS, i believe, follows a “practical membrane transparency” model (like SES/caja etc), that is largely impossible to make fully immune from a determined attacker.
Show threadJordan HarbandJul 19, 2025
also, v5.0.0, which got the same treatment. I assume this was from a pre-existing session and one of npm’s publish servers hadn’t caught up yet - tokens are disallowed (on virtually all my packages)
Jordan HarbandJul 19, 2025
Heads up that v3.3.1 of https://npmjs.com/is has malware in it, due to another maintainer’s account being hijacked. They’re removed for now, v3.3.0 is set at latest, v3.3.1 is deprecated, and a v3.3.2 will be published once I’m not on my phone (thx @github codespaces)
is

the definitive JavaScript type testing library. Latest version: 3.3.0, last published: 7 years ago. Start using is in your project by running `npm i is`. There are 638 other projects in the npm registry using is.

npm
Jordan HarbandDec 4, 2024

Exciting news for me and @nodejs today (ノ◕ヮ◕)ノ*:・゚✧

- https://github.com/nodejs/node/issues/55918
- https://github.com/nodejs/node/pull/56132

Nominating @ljharb to be a Collaborator · Issue #55918 · nodejs/node

I nominate @ljharb as a collaborator. He has been helping review code in Node.js for a long time and has expressed interest in becoming a releaser in the future. He is also an OpenJS Board member (...

GitHub
Show threadJordan HarbandDec 3, 2024

@nilesh Oof, `funding.json` seems like it assumes there's a project website (most projects don't have one) and for those projects, requires a file checked into the root of repo (messy, not scalable for those with dozens or hundreds of projects)

also `npm fund` already exists for the JS ecosystem and they should be using that format.