A major npm registry vulnerability
November 18, 2021
GitHub on npm Ecosystem Security (and a Major Bug They’ve Fixed) — GitHub became the custodians of the main npm registry in 2020 when it acquired npm Inc. and in this post they share details on how they’re improving its security. Rather worryingly, they recently identified two issues, one of which meant an attacker could publish new versions of any npm package without proper authorization(!) GitHub assures us, however, it has not been “exploited maliciously” during the timeframe for which they have telemetry (September 2020 onward). Mike Hanley (GitHub) |
A Complete Intro to Building For Real-Time — Join Brian Holt for this detailed course on building apps that can push client messages up to the server and talk in real-time. You’ll learn long polling, how to open web sockets, SocketIO abstraction, HTTP/2 Push, retry strategies, and more. Frontend Masters |
Announcing TypeScript 4.5 — Just two weeks after the RC comes the final release. What’s new? The formerly promised ES module support for Node is now merely experimental and in nightly releases only, but you also get the Daniel Rosenwasser (Microsoft) |
Electron 16.0.0 Released — Electron, the toolkit for building cross platform desktop apps with JavaScript, is now one of those projects with a fast, regular release cadence, so no huge changes here, but you get Chrome 96, Node 16.9.1 and V8 9.6 support, as well as the WebHID API. OpenJS Foundation |
|
🛠 Code & Tools
Execa 6.0: A Better Sindre Sorhus |