Hope people like @doctorow.pluralistic.net are seeing these things and will do follow ups on their earlier pessimistic takes.

If people complain about atproto not being distributed and don't want to work to improve that situation, tell them to donate some money to the good folks at @eurosky.social so we can have European owned atproto stack for the folks that live here. And if they just want to complain, let them complain.

Show these people the rsky atproto stack, and tell them to use Blacksky if they want to help making atproto more distributed

I’m a bad person.

Here is another recent discussion on the topic. As you can see there, I defend that there are some use cases for bundling, but this case seems likely to fit this advice from @43081j.com even with this being a dev tool.

bsky.app/profile/4308...

Bundling dependencies doesn't fix the problems.
You hide hide the dependencies while making you package really big. You also don't get the deduplication that NPM does and the user can't control which versions get installed (in case something gets hacked).

This!!! People please listen to @devminer.xyz. Bundling in libraries is not the answer to your problems.

To the multiple people this week who said to me ”but Bluesky is not distributed yet” and I replied “yes it is!”

They are working on a separate system to “fix” it. Staged publishing where it requires an npm auth (with 2fa) to promote a release. Why we couldn’t have just designed a secure system with 2fa in the first place is a bit confusing to me. But that ship sailed, so here we are.

Yep. It’s pretty much fundamentally broken by design. You can read about the security model on the pypi docs, which is what the npm implementation was directly based on.

Your seat is available 🤣

Publishing More Securely on npm: Guidance from the OpenJS Security Collaboration Space | OpenJS Foundation The OpenJS Security Collaboration Space has been working closely with GitHub’s npm team to understand how new security features affect projects and maintainers, especially as threats and tools keep ev...

Glad people are realizing the problems here. We put together a blog about some of this in case it helps: openjsf.org/blog/publish...

TLDR is trusted publishings security model is fundamentally flawed.

I deserve to be banned for this disgusting display of culinary delight.

Like look at this!!!

I have only had the opening taste and it’s already clear this will be my best meal of the trip so far.

Thanks for the lunch suggestion @tazs.ing!

We are happy to announce the NodeConf EU is returning in 2026. This time, things will be a little different. While the Irish countryside made for a beauttiful backdrop for getting the community together to talk about Node.js, there have always been a number of logistical challenges to hosting there;

npmx social london #1 | Guild Apr 16th 5:00PM: Come join us in the pub! We have a table between 17:00 and 19:00 BST, after which the meetup officially ends but we'll likely all be around. Check the Bluesky thread to find out where...

we're having a little npmx social tonight in London! come join us for conversation, food, beer, and stickers 🥳

guild.host/events/npmx-...

come get stickers!!!!!!

my profile description.

Like considering changing that part of my profile to this lol. It’s great.

Might be my favorite new sticker.

Pulp art ipa and some npmx stickers including one that says “human first”.

Meetup time!

How does one run the @eslint.org CLI with a *single* plugin without all the default rules?

I know how to do this with the JS api via overrideConfig and overrideConfigFile. I specifically want to run `eslint --config=...` without all the `eslint/defaults/*` configs.

I would suggest following people you have good direct interactions with and then if they post things you find overwhelming in one of those categories you are not interested in muting them rather than unfollowing. Keeps some of the network effect without making your feed unappealing.

Yeah I found it way easier here to curate my experience and avoid most of the negativity that was being my down on twitter.

Helps probably that I don’t give the slightest care for “reach” of my posts. I don’t use socials as a way to promote anything, thankfully.

And I will add that SEA's are not a complete solution either, but are a component for *some* of the use cases that go along with why folks bundle for @nodejs.org.

There are reasons beyond just lambda's and actions. I think we need to start putting the idea that it is an anti-pattern behind us and recognize that it is a justifiable decision and deal with the tooling support necessary to support the use case.

Don't Kill the Goose That Lays the Golden Eggs - Socket Open source is under attack because of how much value it creates. It has been the foundation of every major software innovation for the last three dec...

🪿 There are some wild takes out there right now about open source being “dead” after recent supply chain attacks and rapid advances in AI-driven security.

Let’s talk goosenomics for a minute. → socket.dev/blog/dont-ki...

I believe this is the year we’ll start to see a shift from employees refusing to adopt AI because it doesn’t work to refusing to adopt AI so that they aren’t training their replacement.

Depending on how it happened it could even still be on your machine. And it could also be on their machine without using the reflog since their `main` or branch could have it.