⚡️ #7: Use npm query and jq to dig into your dependencies youtube.com/watch?v=h_Zpix
You can use the new "npm query" command and jq to answer interesting questions about your package's dependencies
#terminalrocks
npm’s Tweets
Today we opened an RFC with a proposal of how npm can collaborate with to link packages to their source and build, a significant improvement to the supply chain security of the JavaScript ecosystem.
8
51
157
🚀 we just shipped npm v8.16.0 with the new `npm query` command
📦 this new feature allows developers to quickly ask & answer questions about their project's dependencies. you can learn more here: github.blog/changelog/2022
⬇️ to get it now, run:
$ npm install -g npm
3
36
82
We've launched a number of security enhancements to npm including:
* Improved login and publish experience /w CLI
* Connecting GitHub + Twitter accounts
* All packages have been resigned and a new command `npm audit signatures`
Read more at:
4
70
220
do you publish from a npm workspace & use a root-level ignore file? if so, you should update to npm v8.11.0 or the latest versions of Node.js 16/17/18 to avoid a recently discovered vulnerability that wouldn't respect these files.
read the advisory here:
3
32
50
GitHub has been actively investigating the attack campaign around stolen OAuth tokens, of which was a victim organization. Today we’re sharing our final impact analysis for npm as well as additional findings. github.blog/2022-05-26-npm
Quote Tweet
GitHub has uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI. Read more about the impact to GitHub, npm, and our users. github.blog/2022-04-15-sec
Show this thread
1
130
223
Show this thread
🔒 an enhanced npm 2FA experience is now available in public beta. it includes:
* support for physical security keys and biometric devices
* support for multiple second factors
* a new 2FA configuration menu
and more!
2
43
74
🚀 Our CLI team just shipped their weekly release!
📦 npm@8.9.0 makes `npm owner` workspace-aware & also comes with some docs, deps & core updates/fixes.
⬇️ Get it now:
$ npm install -g npm
See more in the changelog:
10
27
A new cli release is out! 🚀
📦 npm@8.8.0 adds a new `--install-links` option to opt into packing+install dependencies defined using the `file:` protocol instead of symlinking.
⬇️ Get it now:
$ npm install -g npm
See more in the changelog:
9
23
we've got a jam packed Open RFC call today w/ some exciting topics like: v9 roadmap, `npm query` + dependency selector syntax, command-specific configuration & more...
come join us live at 2pm EST: github.com/npm/rfcs/issue
#npm #nodejs #javascript
2
10
18
It's npm cli release day again! 🎉
🚀 npm@8.4.1
- fixes `npm ci` lock file validation
- fixes parsing aliases in `npm outdated`
- And more!
⬇️ Get it now:
npm install -g npm
See more in the changelog:
25
7
34
exciting open rfc meeting planned today at 11am pt / 2pm et; we've got a full agenda including new rfcs for package distributions & ux changes to clean up deprecation warnings: github.com/npm/rfcs/issue
🎙 come join the discussion or watch live on youtube
13
4
11
today we enrolled all maintainers of the top-100 npm packages in mandatory 2FA. read more about it on our blog:
13
60
223
we hope to see you at our weekly open rfc meeting today! check out what's on the agenda and how to join ⬇️
4
1
7
we just shipped a number of security-focused improvements to npm including:
- naming access tokens
- enforcing 2FA in your npm orgs
- improved auditing for 2FA adoption in orgs
- selecting teams when adding new org members
read more in our Changelog ⬇️
3
29
56
open rfc meeting is on for today and we've got a full agenda! we'll see you at 11am pt / 2pm et 🕚
1
1
3
Demo Days is live! Join us to talk complex workflows, managing multiple projects in a single monorepo, securing dependencies and more with the CLI.
2
4
6
In case you missed it, the CLI has been making big strides lately. Join us this Friday on Demo Days and we’ll deep dive into Workspaces, Overrides and more!
linkedin.com/feed/update/ur
1
7
31
continuing our commitment to npm security with the introduction of new enhanced login verification and timeline for two-factor authentication enforcement
14
58
169
Show this thread
today’s open rfc meeting agenda features running `prepare` scripts for linked bundled dependencies, and more!
come and join the conversation 🎙️
4
4
8
Show this thread
📣 this week's open rfc meeting kicks off in 30 mins. we hope you'll join us!
2
2
4
Show this thread
an update on recent security incidents across the registry as well as a look into our ongoing investments in maintaining the security of the registry (including 2FA requirements) ⬇️
9
116
157
joining us for this week's open rfc? meeting starts at 11am pt / 2pm et 🕰️
4
1
3
Show this thread
following ongoing investigations, we identified in real time multiple versions of the “rc” package containing identical malware to the “coa” package. malicious versions of “rc” were immediately removed from the registry and we have published an advisory:
5
35
47
Show this thread
to protect your accounts and packages from similar attacks, we highly recommend enabling 2FA on your npm account: docs.npmjs.com/configuring-tw. [3/3]
12
16
31
Show this thread
this morning we detected multiple versions of the “coa” package published with malicious code due to a compromised account of a maintainer. we quickly removed the compromised versions and have published an advisory: github.com/advisories/GHS. npm itself was not compromised. [1/3]
7
166
158
Show this thread
📢 no open rfc meeting today. we'll see everyone next week!
2
2
3
this week’s open rfc starts in about 10 minutes! 🖥️
2
2
Show this thread
📢 open rfc meeting is on for today! check out the agenda in advance ⬇️
2
2
Show this thread
yep, the cli is now v8. this allows us to drop 10 support, making it easier to maintain the cli and removing friction in your development
4
16
31
continuing our quest to secure the supply chain with today’s announcement that the Advisory Database now powers npm audit ✅
7
10
42