📖 This article by @sarahgooding.bsky.social at @socket.dev highlights a concerning trend (ref. socket.dev/blog/attacke...)
📕 Story time: this kind of supply chain targeting isn't unique. I myself & everyone on our team @vlt.sh have been the targets of consistent, concerted efforts.
tldr; if you used @vlt.sh as your package manager, then you were protected the minute @socket.dev flagged the malicious packages in the `axios` attack yesterday. The best time to switch your package manager was 48hrs ago, the next best time is right now.
More below: blog.vlt.sh/blog/vlt-build
Graph showing daily new packages being uploaded to NPM for the last 12 months and showing a lot of growth since the start of 2026.
Yesterday we saw the most _new_ NPM packages being released in the last 12 months, at 2804 packages.
Pretty steady upward trajectory here, unlike we've ever seen. This graph is spiky because it's daily data and weekends are lower.
The @vlt.sh benchmark suite has been updated to include the yarn v6 canaries (still a WIP & improving all the time): benchmarks.vlt.sh
🧑💻 Come "Cowork with Friends" tomorrow in Downtown Mesa!
We'll be at Pair Cupworks from 8:30am-12pm.
@vlt.sh will be sponsoring beverages and raffling off 1 free ticket to @halfstackconf.bsky.social Phoenix!
Join the group or just show up! coworkwithfriends.com/group/downto...
Darcy Clarke and Ruy Adorno are longtime npm CLI maintainers and Node.js contributors. They join @joshuakgoldberg.com to discuss vlt, a new package manager and registry designed to improve performance, security, and developer experience.
@darcyclarke.me
@ruyadorno.com
bit.ly/3YNGniF
@lukekarrys.com joins HalfStack Phoenix.
A practical story about building for kids, using NFC cards to control music, and turning everyday interactions into something playful and intuitive.
📅 𝐉𝐚𝐧𝐮𝐚𝐫𝐲 𝟑𝟎𝐭𝐡, 𝟐𝟎𝟐𝟔 — 𝐌𝐚𝐣𝐞𝐬𝐭𝐢𝐜 𝐓𝐡𝐞𝐚𝐭𝐞𝐫, 𝐆𝐢𝐥𝐛𝐞𝐫𝐭
🎟️ halfstackconf.com/phoenix
#HalfStackphoenix #TechEvents
Today, we published a security release for @nodejs.org that fixes a critical bug affecting virtually every production Node.js app.
If you use React Server Components, Next.js, or ANY APM tool (Datadog, New Relic, OpenTelemetry), your app could be vulnerable to DoS attacks.
👇
The top licenses published on #npm .
Number #2 is interesting because it's not really a well-known one, but it's the default choice when running `npm init`, so it likely represents all the people that just pressed enter without having an opinion. [1/2]
🚀 Here is @vlt.sh take on running lifecycle scripts on installs, adding another powerful capability to our query language syntax: blog.vlt.sh/blog/vlt-build
#javascript #nodejs #packages
If you think npm's architecture is good, go watch @darcyclarke.me's talk. The dependency graph is complex and @vlt.sh is reinventing it in a smart and unique way. www.youtube.com/watch?v=o8nG...
Huge thanks to the @vlt.sh team for building something new and refreshing in the world of package managers and taunting me with LEGO to try it out.
Join me and check them out: www.vlt.sh
Thanks @vlt.sh! This is awesome!
Seeing the recent supply-chain attacks made me prioritize this item from our backlog as I wanted a quick way to know if any of my local projects have been affected.
Meet the new vlt client `:host()` Query selector:
blog.vlt.sh/blog/host-co...
#javascript #nodejs #packages
⚡ Point. Click. Discover.
🚀 We're excited to unveil a new Query Builder to @vlt.sh's UI. It's now dead simple to visually navigate complex dependency graph filters without typing a thing. No need to memorize our selector syntax (if you don't want to).
🚀 Dependency Selector Syntax can now be used across @vlt.sh commands like run, exec, and pkg!
This enables precise filtering when running scripts, executing commands, or getting package info. You have access to the whole graph!
Read more about how it works and some example use cases:
🚀 Excited to announce another major addition to the @vlt.sh client: Graph Modifiers!
Graph Modifiers enable fine-grain customization of your install using our powerful Dependency Selector Syntax ⚡️
Read more about it here: blog.vlt.sh/blog/introdu... #javascript #nodejs #packages
💬 @vlt.sh is starting Weekly Community Sync calls today (in ~5min actually); here's the deets:
📝 Agenda: github.com/vltpkg/vltpk...
🎙️ Join: recording.vlt.sh
🔴 Watch...
On Riverside: recording.vlt.sh
On YouTube: www.youtube.com/@vltpkg/live
Excited to build together!
🚀 We just shipped catalog support to @vlt.sh! If you go grab the latest version you can now install & manage dependencies with pnpm-like catalog definitions (ex. `vlt i typescript@catalog:dev`).
You can read more here: blog.vlt.sh/blog/catalog...
We're looking for a Senior Backend Engineer to join our team at @vlt.sh based here in Toronto 🇨🇦 at our HQ. If you love JavaScript & open source this may be right up your alley. Please share if you know anyone who would be a great fit.
www.linkedin.com/posts/darcyc...
#javascript #nodejs #packages
JSR now supports @vlt.sh 🎉
For the record the secret logo is @vlt.sh! Now I will never forget your logo! 😂
🙇♂️ Thank you @vlt.sh @ruyadorno.com et al. for giving the community a cohesive toolkit for working with packages docs.vlt.sh/packages. I wish I had some of these when I was building Paka with @schickling.dev ❤️!
In partnership with @socket.dev we're bringing Socket Package Alerts to your local dependencies when using the vlt client.
Introducing Package Insight Selectors, a powerful addition to our Dependency Selector Syntax that helps you understand and secure your node_modules folder.
#js #nodejs #vlt
vlt client: query package data for security information (provided by Socket)
@ruyadorno.com @vlt.sh
blog.vlt.sh/blog/insight...
#ECMAScript #JavaScript
We're excited to announce the new Insights Selectors to the @vlt.sh's Dependency Selector Syntax.
This new information allows you to query packages based on a variety of security-focused metadata powered by @socket.dev! ⚡️
🚀 We just launched `$ npx reproduce <pkg>`
bart simpson standing in front of a smoky the bear machine with the text: YOU PRESSED "YOU," REFERRING TO ME. THAT IS INCORRECT. THE CORRECT ANSWER IS YOU.
whenever i try to use `--ours` vs `--theirs` in git:
