Here's me trying to make sure we ship as secure as possible software, and there's someone who doesn't know how to use an npm ignore file to not ship their shitty docker files in their modules #node#npm
OK, I should really change all my projects that use #npm/#yarn to use #pnpm. If you barely use Node then it's probably not worth it, but for a webdev it now seems like a no-brainer.
Considering that every year we have a new ambitious replacement for #npm in the JavaScript world, @naderman and @seldaek apparently did a very good job when building and maintaining #composer for #php. Thanks a lot to you two and everyone else involved.
So I just saw a PR for a Node.js project, where the developer had used an npm command I'm unfamiliar with.. or at least, I didn't know of:
npm clean-install
Now, I'm familiar with npm ci, but I had absolutely no idea that the alias of npm clean-install existed. I didn't even realise that's what "ci" stood for "clean install”.
I always thought npm ci meant “the npm command you wanna run in CI environments”
On macOS, I’m using these scripts:
"build": "npm run clean && tsc && npm run chmod",
"clean": "shx rm -rf ./dist/*",
"chmod": "chmod u+x ./dist/src/cmd.js",
Alas, the last script won’t work on Windows. What’s a good way to fix this?
If an #npm package has "exports", it can “self-reference” them via its package name. That’s useful for tests (which demo how importing packages would use the code).
// util_test.js
import {helperFunc} from 'my-package/misc/util.js';
#NPM based packages should mandatorily disclose whats the code size and what will be the nodes-modules folders count and total size. coz that combined together could what kind of liability i am getting myself into. #supplychain issues arise from being unaware / ignorant about your liabilities mostly.
Especially the part where you can just publish your TypeScript package without transpilation, and they handle #NodeJS /NPM compatibility is pretty big for IMO.
We continue to identify sophisticated threats originating from the use of #opensource software packages. This time the attacker uses a signed #Microsoft executable to initiate the attack chain through an #npm package.
I spelunked into steganography to create a new feature in https://www.deciduous.app/ that lets you reimport PNGs and SVGs of your decision trees to derive the underlying YAML.
Deciduous now also sports a CLI (so you can #npm install it), and a bunch of lil things @shortridge and I added towards the goal of fast, easy, collaborative #threatmodeling of potential failures.