InfoQ Homepage Package Managers Content on InfoQ
-
GitHub Enables Dependabot via GitHub Actions, Improves Supply Chain Security
GitHub has released two features to improve the security and resilience of repositories. The first feature allows Dependabot to run as a GitHub Actions workflow using hosted and self-hosted runners. The second release introduces the public beta of Artifact Attestations, simplifying how repository maintainers can generate provenance for their build artifacts.
-
Glasskube an Emerging Kubernetes Package Management System
The cloud-native landscape is thriving, but a crucial aspect remains missing: a robust package management system. Glasskube, an open-source emerging project in this domain, with its first release (v0.0.1) wants to close this gap.
-
Manifest Confusion Paves the Way to New npm Supply Chain Threats
A recent report by former npm engineering manager Darcy Clarke found that the npm registry does not validate manifest information against the contents of its corresponding package tarball. This creates a double source of truth that attackers can exploit to hide scripts or dependencies, says Clarke.
-
Heuristic Static Analysis Tool GuardDog Used to Detect Several Malicious PyPi Packages
GuardDog is new open source tool aimed at identifying malicious Python Packages using Sempreg and package metadata analysis. Thanks to a set of source code heuristics, GuardDog can detect malicious packages never seen before and has been used to identify several malicious PyPi packages in the wild.
-
The JavaScript Coder's Guide to Getting More from GitHub and Npm - GitHub Satellite 2020
Edward Thomson, npm product manager at GitHub, recently explained at GitHub Satellite 2020 the implications of npm joining GitHub for JavaScript developers and how to get the best out of GitHub for both open source and professional work.
-
Import Maps - Guy Bedford at ESNEXT 2020
Guy Bedford, core contributor and creator of the dynamic module loader system.js, discussed the workflows enabled by import maps. In his talk at ESNEXT this year, Bedford took a historical view while introducing the motivation behind the import map proposal, and linked the feature with the package entry points used in the latest version of node.
-
pnpm: a Space-Efficient JavaScript Package Manager
pnpm is an npm compatible package manager for JavaScript that offers significant improvements in both speed and disk space usage. With the release of version 5.0, it's time to take a serious look at what differentiates pnpm from the competition.
-
Npm, Inc. Announces Npm Pro for Independent JavaScript Developers
npm, Inc. recently announced the launch of npm Pro, designed for independent JavaScript developers. npm also rebranded its existing npm Orgs, which caters to teams of developers, as npm Teams.
-
GitHub Package Registry Integrates Source Code and Packages
GitHub launched a limited beta of its new Package Registry, aiming to simplify publishing public or private packages under the same user interface as source code. GitHub Package Registry supports npm, Maven, RubyGems, NuGet, and Docker images, and support for more package management tools is already on its roadmap.
-
Dependabot Automatically Creates GitHub PRs to Fix Your Vulnerabilities
Leveraging GitHub Security Advisory API, Dependabot aims to help developers track their dependencies, monitoring the security of their programs, and making sure any potential vulnerabilities are removed as easily as possible by automatically creating PRs to resolve them.
-
Homebrew 1.9 Adds Linux Support, Auto-Cleanup, and More
The latest release of popular macOS package manager Homebrew includes support for Linux, optional automatic package cleanup, and extended binary package support. InfoQ has spoken with Mike McQuaid, current maintainer of the project.
-
Kubernetes Package Manager Helm Now Hosted by the CNCF
Earlier in the month the Cloud Native Computing Foundation (CNCF) Technical Oversight Committee (TOC) voted to accept Helm as an incubation-level hosted project. Helm is a package manager that provides an “easy way to find, share, and use software built for Kubernetes”.
-
NPM Releases New Security Features
Today, Npm released new features that should help secure the package registry from attackers. The use of two-factor authentication and authentication token restrictions should help keep packagers more secure.
-
Yarn 1.0 Adds Workspaces, Auto-Merge and Selective Version Resolution
Almost a year ago we published the news Facebook Open Sources Yarn, a JavaScript Package Manager, introducing Yarn and the motivation behind its creation. The community has moved the project forward, releasing the first major version with workspaces, automatic merging, selective version resolution and many other features and fixes.
-
Npm 5.0 Boosts Common Sense Performance
Npm 5.0 is a highly anticipated release that has been years in coming. The new version of the JavaScript package manager has a completely rewritten cache and has performance that is more in-line with its most direct competitor.