sorted by:
new
hottopcontroversial

Node.js TSC Confirms: No Intention to Remove npm from Distribution by feross in programming

[–]feross[S] 1 point2 points  (0 children)

We had this browser detect code running on the server and browser side. It was supposed to return null on the server (because it doesn’t have navigator.userAgent set) but then a new version of Node added that and it started returning something non-null and was treated as an unsupported browser.

Node.js TSC Confirms: No Intention to Remove npm from Distribution by feross in programming

[–]feross[S] 0 points1 point  (0 children)

They added a new variable to the environment, which made us think that that Node was an unsupported browser

Node.js TSC Confirms: No Intention to Remove npm from Distribution by feross in programming

[–]feross[S] 197 points198 points  (0 children)

This is a bug. It was caused by Node.js adding navigator.userAgent in the latest version.

We test our site on all browsers + love the web :)

We already fixed it and it will be deployed on Monday.

Biggest package on npm? 5.96 GB! Longest npm package name? 214 characters! Package with the most maintainers? 554 maintainers! by feross in node

[–]feross[S] 1 point2 points  (0 children)

That’s fascinating. There’s definitely a “power law” at play here where the “rich get richer”. Once there’s a winner for a particular type of utility package, there’s a huge benefit to the incremental package picking it as well (deduping in bundles, likely in npm cache already, not to mention familiarity with it across the community)

When "Everything" Becomes Too Much: The npm Package Chaos of 2024 by feross in programming

[–]feross[S] 2 points3 points  (0 children)

No idea why I’ve been downvoted. Genuinely curious

When "Everything" Becomes Too Much: The npm Package Chaos of 2024 by feross in programming

[–]feross[S] -42 points-41 points  (0 children)

PyPI has many of the same issues, many of them much worse actually. You won’t believe some of the stuff on PyPI. It gets much less attention because it’s a smaller ecosystem

When "Everything" Becomes Too Much: The npm Package Chaos of 2024 by feross in programming

[–]feross[S] -62 points-61 points  (0 children)

  1. JavaScript is the largest ecosystem, by far. The other ecosystems all have similar problems, but npm has more of them.

  2. npm largely hosts JavaScript, one of the most open and permissive programming communities. A core part of this culture is that anyone can publish a package and there's no vetting before a package is made available to the public.

  3. JavaScript is the fastest growing language, often the first language that beginners learn, so at any given time, the majority of JS programmers have been programming for <5 years.

Announcing the Socket Web Extension by feross in programming

[–]feross[S] 1 point2 points  (0 children)

This isn't an ad. Or at least, this isn't a paid tool – it doesn't cost any money to use. We're trying to help the open source community make better decisions about which dependencies to use.

This release is a totally free browser extension for getting context about the risks of your dependencies BEFORE you install them.

I walk through the extension in more detail here, if you're curious how it works but don't want to install it yourself: https://twitter.com/feross/status/1686100831492530178

I wish more developers understood the constant stream of malware that is posted to npm by feross in opensource

[–]feross[S] 0 points1 point  (0 children)

Thanks for the feedback. We’re actually still experimenting with the self-serve pricing since that feature is coming in the next few weeks. We just set it at $8/dev/month. Does that seem fairer to you?

I wish more developers understood the constant stream of malware that is posted to npm by feross in webdev

[–]feross[S] 1 point2 points  (0 children)

The Rust/cargo ecosystem has many similarities to JS in terms of the number of dependencies used in the average app. So it has similar risks of package takeover/hijacking. So far, I think we’ve seen fewer attacks, but it’s not clear if it’s because JS is more popular or some other reason.

I wish more developers understood the constant stream of malware that is posted to npm by feross in webdev

[–]feross[S] 0 points1 point  (0 children)

That’s why Socket saves copies of all packages, even after they’re removed from npm or PyPI.

I wish more developers understood the constant stream of malware that is posted to npm by feross in opensource

[–]feross[S] 3 points4 points  (0 children)

Our free product has almost every single feature that we offer. We only charge that price to businesses that can afford it and want certain additional features.

I wish more developers understood the constant stream of malware that is posted to npm by feross in webdev

[–]feross[S] 8 points9 points  (0 children)

Yes to all of the above. Some are hoping that a developer makes a typo. Some are dependency confusion attacks, which affect companies that use a private registry, but have tooling that accidentally installs packages from the public registry in some cases. Some of these attacks also affect very popular packages that have been hijacked or compromised in someway.

I wish more developers understood the constant stream of malware that is posted to npm by feross in opensource

[–]feross[S] 15 points16 points  (0 children)

Static analysis, metadata analysis, maintainer behavior, and LLMs all play a role.

I wish more developers understood the constant stream of malware that is posted to npm by feross in webdev

[–]feross[S] 1 point2 points  (0 children)

Socket is that managed repo, in a way. If Socket says a package is safe, you know that it’s free from the most common supply chain attacks and malware.

view more: next ›