npm SecurityFor the past few weeks, an ongoing supply chain attack on npm packages has shaken the JavaScript community. It’s not that npm packages haven’t been compromised before, but this time, the targets were surprising. Attackers went after popular packages maintained by well-known authors, creating the potential for widespread damage.
GitHub responded about a week later, outlining plans to strengthen npm’s security. This includes changes to how npm tokens are generated and the introduction of trusted publishing as an alternative to token-based workflows. (Notably, JSR, an alternative JavaScript package registry, has always relied on trusted publishing in CI environments and doesn’t support publish tokens.) If you maintain npm packages, here’s what you should do right now:
npm isn’t being targeted because it’s less secure than other registries, but because JavaScript’s popularity makes it a prime vector for spreading malicious code. Keeping the ecosystem safe starts with maintainers taking the right precautions. Key Takeaways
Stuff I've Enjoyed this Month🎬 Most devs don't understand how LLM tokens work by Matt Pocock 📝 CSS-only scrollspy effect using scroll-marker-group and :target-current by Sara Soueidan 🎬 This game theory problem will change the way you see the world by Veritasium 📝 A few things about the anchor element's href you might not have known by Jim Nielsen 🎧 How AI is taking over the US Government by David Sirota 📝 Behind the scenes of bun install by Lydia Hallie 🎬 How the New York Times beat paywall hackers for good by Coding with Lewis 📷 Insta360 Link 2 Webcam by Insta360 What I'm Working On🏠 Real Estate: It's been a quiet month, thankfully, which is always the best case scenario with rental properties. Follow my Instagram for real estate photos. 🍞 Bredbox: Bredbox has around 30 users at this point, and I'm gathering feedback before letting the next batch of users in. So far, I've been pleased that the app hasn't crashed, even as I muddled my way through learning the Cloudflare infrastructure. The next step is to implement collections, after which I'll let in the next batch of users. 💻 ESLint:
Coaching for Tech Leads and Staff+ EngineersIf you're a tech lead or staff+ engineer, chances are your manager has no experience in your role. While they may be well-intentioned, they may not know how to help you grow in such a challenging position. That's where working with me can help. As a former tech lead and principal engineer at multiple companies, I learned firsthand the ins and outs of these roles. I work with my clients one-on-one to develop their leadership, communication, organization, and problem-solving skills to succeed in the upper ranks of the individual contributor track.
|
A once-per-month newsletter discussing topics important to senior-level software engineers, with a particular focus on frontend technology and leadership.
Code portability If you’ve been following me recently, you’ve probably seen me mention Bredbox, my new application for saving bookmarks. This is the first time in years I’ve built a web application, so I put a lot of thought into the process. My philosophy is to leave as many options open as possible in case I need to change direction later. That’s why I recommend targeting Node.js for JavaScript applications, even if you plan to run them on Deno or Bun. Both Deno and Bun are largely...
The return of tech specs When I was studying computer science as an undergraduate from 1996 to 2000, I took a course called Software Engineering that focused on the formal process of developing software. We learned to write a functional requirements document describing what the application should do, followed by a technical specification outlining how the software would achieve that. Only after completing both documents, often a semester-long effort with multiple review cycles, were we...
Deno: What happened? When Ryan Dahl introduced Deno at JSConf EU 2018, it generated significant interest in the JavaScript community. As the creator of Node.js, Dahl presented a compelling vision: a new runtime that would address the common pain points developers face. Deno (a palindrome of "node") promised a fresh approach with new core APIs, ESM-only modules, familiar web APIs, independence from npm, and security by default. Who better to reimagine the JavaScript runtime than the person who...