How we built JSR
We recently launched the JavaScript Registry - JSR. It’s a new registry for JavaScript and TypeScript designed to offer a significantly better experience than npm for both package authors and users: It natively supports publishing TypeScript source code, which is used to auto-generate documentation for your package It’s secure-by-default, supporting token-less publishing from GitHub Actions and pa
Why Should You Care About Package Metadata Interoperability? | OpenJS Foundation
Community Why Should You Care About Package Metadata Interoperability? A neutral industry group called the Package Metadata Interoperability Collab Space has formed at the OpenJS Foundation to iterate on the informal standardization of package.json and improve the interoperability of JavaScript package metadata for application developers. The package.json file is the entry point for nearly all Jav
Node.js Community Debate Intensifies Over Enabling Corepack by Default and Potentially Unbundling npm - Socket
Node.js Community Debate Intensifies Over Enabling Corepack by Default and Potentially Unbundling npmThe Node community is wrestling with the decision to enable Corepack by default, which has sparked a debate about the potential of removing npm from the Node.js binary. A heated debate is happening in the Node.js community over a proposal to enable Corepack by default that was opened in November 20
Node.jsで機能やパッケージの非推奨メッセージを通知する方法
ライブラリやツールなどを作っているときに、特定の機能やパッケージを非推奨にする場合があります。 これらの非推奨はリポジトリ上のREADMEやIssueなどに書いても、利用者が気づかないことがあります。 そのため、利用者が気付けるように非推奨の機能やパッケージを使った場合に警告を出す方法を紹介します。 非推奨にはいくつかの段階があり、それに応じてやり方を変えられるので、それぞれの方法を紹介します。 パッケージの非推奨化: npm deprecate <package> <message> コードレベルの非推奨化: JSDocタグの@deprecated 実行時の非推奨化: process.emitWarning() パッケージの非推奨化: npm deprecate <package> <message> npmのパッケージレベルで、そのパッケージが非推奨であることを通知するにはnpm de
npm in Review: A 2023 Retrospective on Growth, Security, and Quirky Facts - Socket
npm in Review: A 2023 Retrospective on Growth, Security, and Quirky FactsFrom unprecedented expansion to security challenges: A comprehensive look at npm's dynamic year. It's a new year! So let's look back at how npm, the most popular package manager in the world, fared in 2023. We will look at some of the major trends in the ecosystem and investigate what the data reveal about how npm grew over t
NPM registry prank leaves developers unable to unpublish packages
NPM registry prank leaves developers unable to unpublish packagesLaura FrenchJanuary 3, 2024 A prank on npm included a meme image of Gary Oldman from the film “Léon." (Photo by Patrick Camboulive / Sygma via Getty Images) Update Jan. 4, 2024: GitHub told SC Media Wednesday night that disruptions related to the "everything" package, and its registry-wide dependencies, were being resolved. "We found
npm install --productionみたいなの色々ありすぎ問題
Introducing auto-triage rules for Dependabot
ProductSecurityIntroducing auto-triage rules for DependabotMake quick work of alerts with preset and custom rules. Since the May beta release of our GitHub-curated Dependabot policies that detect and close false positive alerts, over 250k repositories have manually opted in, with an average improvement of over 1 in 10 alerts. The impact so far: auto-dismissal of millions of alerts that would have
ni.zsh: npmインストール時のサプライチェーン攻撃を検知する機能を追加
Blogged Answers: My Experience Modernizing Packages to ESM
Random musings on React, Redux, and more, by Redux maintainer Mark "acemarke" Erikson This is a post in the Blogged Answers series. Details on the painful experiences and hard-earned lessons I've learned migrating the Redux packages to ESM Table of Contents 🔗︎ Introduction Redux Packages Background Packages and Configurations Issue History Early Attempts Migrating to Vitest Initial Alpha Testing
Security alert: social engineering campaign targets technology industry employees
SecuritySecurity alert: social engineering campaign targets technology industry employeesGitHub has identified a low-volume social engineering campaign that targets the personal accounts of employees of technology firms. No GitHub or npm systems were compromised in this campaign. We’re publishing this blog post as a warning for our customers to prevent exploitation by this threat actor. GitHub has
時期を決めて定期的に更新するnpmパッケージをChangesetsで管理する
毎月や半年に一回といったように、リリースする時期(間隔)を決めて更新するタイプのパッケージがあります。 具体的には、次のtextlintのプリセットルールは1月と7月という形で半年に一回リリースしています。 textlint-ja/textlint-rule-preset-japanese: textlint rule preset for Japanese. textlint-ja/textlint-rule-preset-ja-technical-writing: 技術文書向けのtextlintルールプリセット なぜ、このようにリリースする時期を決めているかというと、これらのパッケージは他のパッケージに依存していて、他のパッケージの更新がそのままメジャーアップデートになりやすい性質があるためです。 そのため、依存を更新してリリースすると、頻繁にメジャーアップデートしないといけなくなりま
The massive bug at the heart of the npm ecosystem
Disclosure: I was the Staff Engineering Manager for the npm CLI team between July 2019 & December 2022. I was a part of the GitHub acquistion of npm inc. in 2020. I left GitHub, for various reasons, in December. tldr;a npm package's manifest is published independently from its tarballmanifests are never fully validated against the tarball's contentsthe ecosystem has broadly assumed the contents of
Introducing npm package provenance
Open SourceSecurityIntroducing npm package provenanceHow to verifiably link npm packages to their source repository and build instructions. Starting today, when you build your npm projects on GitHub Actions, you can publish provenance alongside your package by including the --provenance flag. This provenance data gives consumers a verifiable way to link a package back to its source repository and
npm/yarn/pnpm/bunを同じコマンドで扱える ni のzsh実装を書いた
npm installとnpm ciの動作確認を簡単にやっておいた - Mitsuyuki.Shiiba
Introducing "safe npm", a Socket npm Wrapper - Socket
Introducing "safe npm", a Socket npm WrapperSocket is proud to introduce an exciting new tool—“safe npm”—that protects developers whenever they use npm install. Socket is proud to introduce an exciting new tool—“safe npm”—that protects developers whenever they use npm install. Socket’s “safe npm” CLI tool transparently wraps the npm command and protects developers from malware, typosquats, install
NPM Kiosk - A new way to sell NPM packages
Selling NPM packages could be a great way for creators to earn money and in return make better software for buyers. But almost nobody is doing it. We think it is because the process is too cumbersome for both parties. NPM Kiosk is an idea for how the ergonomics can be improved - it is also a template for selling and installing private NPM packages without the need for private registries. The probl
New npm features for secure publishing and safe consumption
Open SourceProductNew npm features for secure publishing and safe consumptionNow you can create tokens with fine-grained permissions for automating your publishing and organization management workflows. And a new code explorer allows you to view content of a package directly in the npm portal. We are excited to announce two new features for a safer npm package ecosystem experience: granular access
npm v9.0.0 released
October 24, 2022 The npm CLI team has been working hard over the past few months and are happy to announce the release of the next major version – v9.0.0 Installation You can start using npm v9.0.0 today by running: $ npm i -g npm@9 About this release Our goal with this major release was to standardize appropriate defaults and clean up legacy configurations where possible. We believe the changes m
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
