One more reason to use @pnpm.io and @npmx.dev:
trust policy downgrade becomes visible and preventable

Moltbook is fascinating.

TIL that IPv4 over IPv6 is a mainstream home internet setup in Japan to avoid old PPPoE limits.
It took me back to my college years in China, when I was playing with IPv6 over IPv4 because native IPv6 wasn’t widely available.
It’s really interesting to see how differently things evolved here.

pnpm 10.21 | pnpm Added support for Node.js runtime installation for dependencies and a setting for configuring trust policy.

@pnpm.io getting better by the day

pnpm.io/blog/release...

I still can't believe that a one-person package manager is doing better than npm CLI, owned by a corporate, where the resources of the two projects are incomparable.

Draw your own conclusions.

Apple forgot to turn off sourcemaps when shipping their new App Store website lol github.com/rxliuli/apps...

lmao 🤣

Mitigating supply chain attacks | pnpm Sometimes npm packages are compromised and published with malware. Luckily, there are companies like [Socket], [Snyk], and [Aikido] that detect these compromised packages early. The npm registry usually removes the affected versions within hours. However, there is always a window of time between when the malware is published and when it is detected, during which you could be exposed. Fortunately, there are some things you can do with pnpm to minimize the risks.

Published an article about mitigating supply chain attacks with pnpm
pnpm.io/supply-chain...

some thoughts about the bloat introduced by edge-case first libraries

We encourage everyone to migrate from using npm publish tokens to trusted publisher!

github.com/e18e/ecosyst...

Finally, finally! SALVATION HAS ARRIVED! Time to refactor every GitHub Actions workflow! 🎉

Wow, this was unexpected. I've got mixed feelings, but huge congrats to the team!

But there is a language switcher at the bottom of the GoDaddy homepage? And you can use root paths like www.godaddy.com/en to go directly to the English homepage.

Bought. The interactive debugger looks cool!

I rarely feel that the Vue ecosystem is lacking anything, but this time, I truly wish we had a Vue version of this library. Impressive work!

You won't have to worry even without corepack - pnpm reads from `packageManager` too: pnpm.io/npmrc#manage... And you can prevent npm from being used with `devEngines`: github.com/npm/cli/pull...

Finally. I wish the community could migrate from the `packageManager` field to `devEngines` following this - always pinning versions is good in theory but way too cumbersome in practice.

[RFC] Proper Import Attributes support · vitejs vite · Discussion #18534 Context: Import Attributes is now stage 4: https://github.com/tc39/proposal-import-attributes Related PR / issues: #17485 rollup/rollup#5694 There are few different aspects regarding properly impor...

There’s an RFC for this: github.com/vitejs/vite/...

This thing is so useful. Especially for security - ensuring the published package is actually what exists in the source

npm Blog Archive: announcing free Orgs npm Blog (Archive); updates from the npm team are now published on the GitHub Blog and the GitHub Changelog

Can't believe scoped packages wasn't a free feature of npm until 2017-03-22 blog.npmjs.org/post/1587182...

GitHub commit message: docs: add --no flag to npx command to avoid downloading the incorrect package from npm Thanks to @alxndrsn for finding this issue and the insightful blog post. https://www.alxndrsn.com/2024-08-01-npx-binary-confusion/ Also thanks to @lirantal for his newsletter that brought this issue to my attention. https://www.nodejs-security.com/newsletter/npm-supply-chain-security-prisma-orm-security-fun-nodejs-security-challenges Git Diff: - npx vue-cli-service serve + npx --no vue-cli-service serve

😮‍💨 Still paying down the tech debt that accumulated during the transition from non-scoped packages to scoped ones… I’m lucky to have subscribed to @lirantal.com’s Node.js security newsletter. It’s always informative!

- www.alxndrsn.com/2024-08-01-n...
- www.nodejs-security.com/newsletter/n...

Speeding up the JavaScript ecosystem - Rust and JavaScript Plugins Up until recently, supporting JavaScript in Rust based tools has been deemed not worth it. The main concern is the overhead of the de-/serialization cost when sending data back and forth. But there is...

Speeding up the JavaScript ecosystem part 11 is here! This time we're looking at:

Extending Rust tools with JavaScript plugins

marvinh.dev/blog/speedin...

Have you tried `v-memo`?

Reka An open-source library with unstyled, primitive components, accompanied by a variety of examples & use cases ready to be integrated into your projects.

Looks like Reka UI, the rebranded Radix Vue component library, has just got officially released 👀 It's such a cool name. Can't wait to try it out!

Screenshot of Node.js REPL with the following text: › await import ("./index.js") [Module: null prototype] { oneTrueDate: [Function: oneTrueDate] } _.oneTrueDate(new Date()) '2024-03-01'

#TIL So this is the fastest way to import an ES module in the Node.js REPL… How did I never know about the `_` (underscore) auto-assignment in the REPL?!
nodejs.org/api/repl.htm... So many wasted keystrokes over the years!

@rspack/core does not have a postinstall script, so it won’t be in the list in the first place. If the attacker adds one, it won’t be executed by default.
This feature mitigates risks like this, and that’s it, it’s not designed to prevent all possible attacks.

Note it's not about their Node APIs (so Vite isn't affected), just when executing the binaries (i.e. `pnpm exec esbuild`) there will be a performance hit.

In my experience this new default doesn't break many projects.
But it might slow down some native packages a bit.
For example, packages like esbuild, lightningcss-cli try to optimize their binaries in the postinstall scripts; these will no longer be executed by default: github.com/evanw/esbuil...

Resurfacing this post now that pnpm 10 is tagged as latest.

?? The link preview is still available even though I deleted the link? Interesting feature/bug…

And in case you still want that username, you can temporarily change your handle back and forth to reserve it. This feature was introduced about a month ago: bsky.app/profile/bsky...