I tip my hat to everyone out there that is doing the thankless, unpaid work to ensure their environments & software stays safe/secure. At @vlt.sh we're giving back (ex. @opensourcepledge.com) & building a package manager that attacks the last mile problem with a zero trust approach.
The next attack may not require much social engineering at all, just a big enough check. Again, let that sink in.
Aligning incentives is important. At some point, the random guy in Nebraska, maintaining a critical piece of software, gets burnt out from the thankless social contract. This should be a very scary situation for everyone. People's ethics erode as resentment rises.
In modern warfare the software supply chain is one of the most critical targets/vectors for exploitation. Surprisingly, I haven't heard of a single OSS maintainer who has had any expense paid for them by their nation state.
I remember talking w/ @notwes.bsky.social & @jordan.har.band at some point about the OSS ecosystem being the target of state actors & a comment was made to the effect of: "it's not like the government gives us laptops or pays for our yubikeys...". Let that sink in for a moment...
We license software to be consumed "as-is" for a reason. The total cost of ownership should be on the consumer. Unfortunately, there's an implied social contract that maintainers keep software safe/secure at no cost to the consumer. This needs to change.
This isn't anything new. I've been targeted ever since my time at @npmjs.bsky.social @github.com where a compromise of mine - or anyone on my teams - would have been devastating to the ecosystem.
What often goes unrecognized is just how professional open source maintainers are.
๐ This article by @sarahgooding.bsky.social at @socket.dev highlights a concerning trend (ref. socket.dev/blog/attacke...)
๐ Story time: this kind of supply chain targeting isn't unique. I myself & everyone on our team @vlt.sh have been the targets of consistent, concerted efforts.
this is one of my favorite parts of the @vlt.sh CLI. it uses @socket.dev security data to prevent known malware from running lifecycle scripts like postinstall!
and itโs powered by queries under the hood so you could make it as granular as you wanted (but we ship with safe defaults)
Weโre seeing cases where teams canโt explain how they were compromised by the Axios incident because it doesnโt show up in their project's lockfile. The blast radius here is much larger than it looks.
Deep dive into the messy reality of modern dependency resolution โ socket.dev/blog/hidden-...
"consistency" & "speed" or sort of nebulous without more context. I'm going to assume the former is in regards to availability/reliability(?) & the latter is about delivery(?) - although I could be wrong/feel free to correct me.
I heard you like fast package managers? What about fast registries?
It's been a roller coaster of a month but our team has made some serious headway w/ even more improvements in the works.
Gotta keep the registry fast so y'all can nab the next Claude Code leak.
Yes.
tldr; if you used @vlt.sh as your package manager, then you were protected the minute @socket.dev flagged the malicious packages in the `axios` attack yesterday. The best time to switch your package manager was 48hrs ago, the next best time is right now.
More below: blog.vlt.sh/blog/vlt-build
I'm still waiting on the "Vestro" announcement from @vercel.com today - where it's a slop fork of Astro...
Will add for sure. Happy it's been working for you & speed is definitely top of mind forus.
What's your favourite part of vlt? Also, what do you think we could improve/add?
Thank you... I was late to this discussion & have many thoughts/feelings/opinions.
? Subtweet? Context? My meat brain can't keep up
๐
Yikes
๐
Fixed up some perf issues and benchmark bugs in the new-streams reference impl ... some highlights running comparisons on @nodejs.org @deno.land and @bun.sh ... note each column is just looking at the one runtime, not comparing runtimes against each other ...
When does slop become soup? Like... delicious soup
Appreciate it! <3
Note: for those last benchmark screenshots I shared, the labels are:
- "vlt": our hosted registry
- "npm": the npm public registry (`registry.npmjs.org`)
- "AWS": AWS Code Artifact
We've got a bit of a backlog of docs/marketing/comms but if there's anything specific you're interested in or want to know more about, fire away.
For VSR, we're going to continue maintaining that as a lightweight self-hosted option (great for testing/local dev) but we've been primarily focused on our hosted registry/service.
Perf & security again are top of mind. Initial benchmarks show significant wins against npm/AWS. More on this soon.
