Many of the large supply chain breaches are classic phishing attacks too (fake login flow to capture 2fa).

Generally just a good idea not to click links and not to install prompted things

Awesome work by Florian here. Always happy to be able to collab with such great people too 🙏

they're local in this case too - your editor/debugger/etc downloads and caches them at debug time is all, rather than install time.

if the language was always that way, all your tools would do this fetch-on-demand logic. so you'd never know any difference

this is why taking that line out of context loses a lot of meaning.

packages shouldn't include sourcemaps _if there was such a thing as a symbol/sourcemap server standardised_

you do, because we don't have symbol servers like other languages do.

if node/browsers always had a concept of a symbol server to host sourcemaps, do you think you would still prefer to ship sourcemaps? I doubt it would've even crossed your mind because it would've never been how we do things

interesting 👀 so does this roughly work by having no sourcemap URLs in the runtime code, but uploading them to sentry somewhere? and this resolves them from the sentry server when processing a stack trace?

for sure. some kind of registry that is aware of these IDs would achieve the same as a symbol server i think

not quite. you still need to ship your sourcemaps with your production code today, especially since node doesn't support cross-origin sourcemaps yet (or only very recently does).

the package you publish to npm shouldn't contain sourcemaps. a separate resource should (same way symbol servers work)

Though this is made difficult by the fact we bundle our dependencies. Often we have maps of maps of maps.

But bundlers too could pull from the server in order to create their own map etc.

Source map servers should be a thing 👀

Just like in c# land - they should be downloaded when debugging rather than shipped with prod code

What was the reasoning for not going esm only?

Can the pre-node-20 cjs consumers not use the old major?

Seems a shame to see packages _introducing_ dual these days

Reviving my spare laptop so I can have a Linux machine again and some tiling wm goodness 🥹

Very nice work 🎉 what was the biggest saving?

seems my brain still thinks it is in Canada time 😴

hah! maybe we need a few more major versions of it to show it isn't unmaintained 😂

bad wes! 😂

what tools or runtime JS libraries do you use that you wish were faster?

I do want to implement that at some point too 😀

This is a good start that I'm sure will give me lots of ideas to extend it 😄

revived the multiline prompt PR that was contributed some time ago in clack.

reworked it heavily and its almost ready to go!

npmx.dev/package/is-two

i started making an "is this npm package real?" quiz but all the fake ones i could think of were real

good to be back home. now time to catch up on too many things 😀

hah yes sounds very familiar 😄

Was great to meet you! Glad you could join us 🙏

Aw yeah look at that awesome @e18e.dev sticker! 🔥

ESLint recently decided all their repos will have no lock files so it is "representative of what end users see".

I wish I could kill that myth 😅 barely any end users have the very latest of everything deeply

City life is the best 😀

A lot of it will just be the fact you're in a shared office for a change too I suspect 😄

The e18e GitHub action should do this too if it doesn't already. It's as simple as detecting repo changes

I did 😄 the flight was too delayed. All good though I'm on my way back home now!

maybe this axios supply chain attack will push people to switch to native fetch 👀