🦋 jddalton.bsky.social

Along with the blog post there's a recording of the interview. Listen to the full interview OR the last 10 minutes (linked) → youtube.com/watch?v=ZbWx6s…

@tom_doerr I tested this and embedded into Tamp.dev as one of many tools for token compression

Okay I looked it up. The npm registry is having a banger year, downloads are up 130% YoY, and March alone saw a 35% increase (!!)

Nice! Big fan of moderation tools

presented w/o judgement: #lodash packages are now downloaded in total 152 million times DAILY that's a ~20% increase in the past month alone almost 2k downloads/SECOND

Understanding JavaScript security is more important than ever 👀 Check out our free training course to better spot security flaws in JavaScript apps, design safer systems, and bring a security-first mindset to every stage of development. Details here: bit.ly/4vhXCay

This is agent-ci.dev, it runs the same native GitHub Actions Runner in a container. The difference is the control pane: Which is a local http server. So it never communicates with GitHub.com, because of this we can do all kinds of interesting things: 1. 0ms cache restores (copy on write mounts) 2. pause-and-retry on failures (bash injection in step.) 3. 100% compatible with GH actions. (just a control pane.)

I love it!

Whatever kind of learning this is, this is how I learn.

I’m leaning this way too. List default node thing, users map the rest

http://localhost:lodash

Next release will have double stuffed Lodash ≧

jokes on them, ignoring my inbox has long been part of my security posture

Wanted to warn the #NodeJS community: This campaign is active. Thank you to the maintainers who shared their stories - some of these came frighteningly close. One got all the way to the fake meeting before walking away. The more we talk about this, the harder it is for these attacks to succeed.

Great piece from @a16z. A few things I’d add from the front lines of detecting the Axios attack: Socket detecting the attack 16 minutes before publication is worth dwelling on. We caught plain-crypto-js because its behavior was anomalous the moment it appeared on npm – postinstall script, network access, OS fingerprinting, binary download, self-deletion. No CVE needed. The package told us what it was by what it did. The core issue is that AI agents treat npm install as a solved problem. It isn’t. Every dependency decision is a trust decision, and right now agents are making thousands of those decisions per day with zero security context. We need to give agents the same visibility into package behavior that we’d want a human developer to have – but at machine speed.

Node.js didn't always use llhttp. The original `http-parser` was a C library that was "totally unmaintainable". Any change meant recompiling. It was rigid, static, and couldn't be configured. 😬 We (@platformatic) did a deep dive with @kettanaito to explore the intricacies of @nodejs HTTP layer!

Socket is free for open source maintainers. We're launching the @SocketSecurity for Open Source program -- any open source maintainer can get a free Team plan to protect their project from supply chain attacks. Open source is critical infrastructure. Millions of companies depend on packages maintained by small teams and volunteers. These maintainers are high-value targets but rarely have access to enterprise security tooling. That's wrong. We want to fix it. What you get: ✅ Full dependency scanning across your project ✅ Real-time alerts for malicious packages in your dependency tree ✅ Check every PR to make sure no malicious dependencies are added -- including PRs from outside contributors If you maintain an open source project, send an email to support[at]socket[dot]dev and we'll get you set up!

📍 @nodejs drops bug bounty rewards after external funding dries up. A real hit to its security incentives → socket.dev/blog/node-js-d… #nodejs #javascript

as promised the postmortem for the axios incident may be found here github.com/axios/axios/is…

Unfortunately, security reports are no longer eligible for bounties due to the IBB program being paused