InfoQ Homepage NPM Content on InfoQ
-
TypeSpec: a Practical TypeScript-Inspired API Definition Language
Recently, Microsoft engineers officially unveiled TypeSpec, a new language tailored for API-centric development that addresses the complex needs of modern API design. TypeSpec is an open-source, extensible language inspired by TypeScript and C#. It supports various protocols and serialization formats, enabling developers to use a single tool to manage multiple API specifications.
-
Manifest Confusion Paves the Way to New npm Supply Chain Threats
A recent report by former npm engineering manager Darcy Clarke found that the npm registry does not validate manifest information against the contents of its corresponding package tarball. This creates a double source of truth that attackers can exploit to hide scripts or dependencies, says Clarke.
-
Malicious PyPI Package Removes netstat, Tampers with SSH Config
A recent report by Sonatype security researcher Ax Sharma highlights newly discovered malicious packages on the PyPI registry, including aptx, which can install the Meterpreter trojan disguised as pip, delete the netstat system utility, and tamper with SSH authorized_keys file.
-
NPM Package Masquerading as Popular Material Tailwind Library To Install Malicious Code
Researchers at ReversingLabs discovered a malicious npm package masquerading as the Material Tailwind library. Their finding highlights a new trend for threat actors to install malicious code, dubbed impostor packages, say the researchers.
-
Securing the Open-Source Software Supply Chain
Recent findings by security researchers at SonarSource showed multiple security vulnerabilities in popular package managers, including Pip, Yarn, Composer, and others. Package managers, though, are not the only weak link in the open source security chain. InfoQ has spoken with Sonatype CTO Brian Fox.
-
Npm 7 Now Generally Available, Supports Workspaces and Deterministic Builds
The recently released npm 7 adds several features requested by developers, e.g. support for workspaces, better support for peer-dependency management, or deterministically reproducible builds. npm 7 is a big release that includes several breaking changes aiming at improving the overall developer experience.
-
The JavaScript Coder's Guide to Getting More from GitHub and Npm - GitHub Satellite 2020
Edward Thomson, npm product manager at GitHub, recently explained at GitHub Satellite 2020 the implications of npm joining GitHub for JavaScript developers and how to get the best out of GitHub for both open source and professional work.
-
GitHub to Acquire Npm in an Effort to Provide Continuity and Improvement
GitHub's CEO Nat Friedman has announced an agreement to buy npm, the default package manager for the Node.js ecosystem. Npm will remain free to use and will get the required investments to keep it fast and reliable, says Friedman, as well as more secure.
-
Npm, Inc. Announces Npm Pro for Independent JavaScript Developers
npm, Inc. recently announced the launch of npm Pro, designed for independent JavaScript developers. npm also rebranded its existing npm Orgs, which caters to teams of developers, as npm Teams.
-
Npm Bans Packages Which Display Ads via Its Command Line Interface
npm, Inc., the company behind the popular eponymous JavaScript package manager, will no longer allow packages which display ads. Developers will be able to silence terminal messages which push ads or call for donations, and which stem from the regular use of the npm command line interface.
-
Making 'npm install' Safe
At QCon New York 2019, Kate Sills, a software engineer at Agoric, discussed some of the security challenges in building composable smart contract components with JavaScript. Two emerging TC39 JavaScript proposals, realms and Secure ECMAScript (SES) were presented as solutions to security risks with the npm installation process.
-
NPM Adopted Rust to Remove Performance Bottlenecks
Npm exponential growth drove the npm engineering team to switch from Node.js to Rust to handle CPU-bound tasks that were going to become a performance bottleneck. A recent white paper overviews the experience of developing the new service in Rust and running it in production for more than one year.
-
JSUI, a UI Toolkit for Managing JavaScript Apps
JSUI introduces a visual tool for creating and managing JavaScript applications. The project provides utilities and features for both front-end and back-end applications, and most of its features are independent of underlying JavaScript frameworks.
-
Package Containing Malicious Backdoor Makes its Way into NPM
The NPM security team removed a package masquerading as a cookie parser that actually contained a malicious backdoor, along with three other packages depending on it. The backdoor allowed attackers to inject arbitrary code into a running server and execute it.
-
Node.js 10.0 and npm 6 Released with Emphasis on Security
On April 24 the Node.js project released version 10.0.0 of Node.js and npm, Inc released version 6.0 of npm. Both releases emphasized security improvements, with Node.js updating to OpenSSL version 1.1.0 and npm including new security-focused features such as the automatic alerting of insecure dependencies. The Node.js release also included a new native programming API and stable HTTP2 support.