Official Node JS 🫖 TPOT @node_camp

Here we go again

StepSecurity @step_security

3 days ago

🚨 Breaking: 31 npm packages from @RedHat have been compromised. 100,000+ weekly downloads affected. The upstream CI/CD pipeline was compromised, with all packages published via GitHub Actions OIDC. The payload: ⚠️ Reads GitHub Actions runner process memory to extract masked

5 73 213 61K 77

@forestmars I havent gotten big into tuis yet. Im not sure I get it. My white whale right now is plastron- i just google my repo and several other better 0lastrons came up hence late tweet response. Still coping github.com/rheophile10/pl…

But does it support nested overrides? 😂

Bun @bunjavascript

2 weeks ago

90 116 2K 517K 140

microsoft.com/en-us/security…

@rickyfm 🤣

@islamgshehata @dreamsofcode_io My vote is for quality + speed (as long as someone else is paying.)

Sound Mode is tsz's experiment in stricter TypeScript checking: tsz.dev/sound-mode/

It isn't unexpected that the focus of the Bun Rust rewrite is on the anti-Zig side more than anything, since the internet loves to hate. What is unexpected and unfortunate is that leadership within Bun hasn't tried to steer the conversation away from that at all. There are so many positive and interesting takeaways from this and I'm not really seeing any of them pushed as the primary message. A positive thing that hasn't been talked about at all is how far Bun came thanks to Zig. And even if you dump it now, its meaningful for how good Zig was to even build a product to this point and impact by any metric. I would've loved to see anyone in leadership say this. On the interesting side is how fungible programming languages are nowadays. Programming languages used to be LOCK IN, and they're increasingly not so. You think the Bun rewrite in Rust is good for Rust? Bun has shown they can be in probably any language they want in roughly a week or two. Rust is expendable. Its useful until its not then it can be thrown out. That's interesting! There's been a lot of talk about memory safety and no doubt Rust provides more guarantees than Zig. But I'd love to see a better analysis of why Bun in particular suffered so much rather than take the language-blame path. How could engineering as a practice been more rigorous to prevent this? What were the largest sources of crashes other programs should watch out for? How does Rust prevent them? How could Zig theoretically prevent them? That's interesting. I know the official blog post hasn't come out yet from Bun. But they're smart enough to know that that PR would stir up controversy the moment it opened, or they should've been. And plenty in the company have been tweeting and writing about it. Its somewhat telling to me in various dimensions what they chose to talk about first. I tend to think I'm pretty good at corporate PR/comms (especially when it comes to developer audiences) and I think appealing to the negative is never the right long term strategy; it does work to get short term eyes though.

It gets better.

Socket @SocketSecurity

3 weeks ago

Update: Socket has found 121 more compromised npm package artifacts across 84 package names, including 64 UiPath artifacts. Combined w/ TanStack, the current known total is 205 affected npm package artifacts across enterprise automation, AI/MCP, auth, workflow, and dev tooling.

49 252 1K 1.1M 578

SECURITY ADVISORY — TanStack npm packages A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package. Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down. Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys. If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised: • Rotate cloud, GitHub, and SSH credentials immediately • Audit cloud audit logs for the last several hours • Pin to a prior known-good version and reinstall from a clean lockfile Detection — the malicious manifest contains: "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49ee..." } Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root). Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level. Full technical breakdown, complete package and version list, and rolling status updates: github.com/TanStack/route… Credit to the security researcher for responsible disclosure.

@matteocollina @nodejs @bunjavascript It worked out well for TypeScript! (In Go, not Rust obviously) x.com/node_camp/stat…

Official Node JS 🫖 TPOT @node_camp

9 months ago

@kamilaturap

0 0 5 794 0

In 4 days, bun's Rust rewrite went from 16,000 errors to 99.8% passing.

Jarred Sumner @jarredsumner

4 weeks ago

99.8% of bun’s pre-existing test suite passes on Linux x64 glibc in the rust rewrite

128 169 3K 651K 406

Safe versions: [email protected] and [email protected]. Prophylactic measures: 𝚒𝚐𝚗𝚘𝚛𝚎-𝚜𝚌𝚛𝚒𝚙𝚝𝚜=𝚝𝚛𝚞𝚎 → in .npmrc 𝚗𝚙𝚖𝙼𝚒𝚗𝚒𝚖𝚊𝚕𝙰𝚐𝚎𝙶𝚊𝚝𝚎: 𝟹𝚍 → in .yarnrc.yml

Feross @feross

2 months ago

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest [email protected] now pulls in [email protected], a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios

542 4K 16K 12.4M 7K

@TechByTaraa Why not just ask for a show of hands for Express? 😄

⚡️ Vite 8.0 is here! The most significant architectural change since Vite 2. ⏬ Powered by Rolldown bringing faster production builds and more consistency 🛤️ New features such as tsconfig paths and emitDecoratorMetadata support

Introducing TanStack Intent: Ship Agent Skills with Your npm Packages: tanstack.com/blog/from-docs…

@bunjavascript TBH, it looks more like: 𝚃𝚢𝚙𝚎𝙴𝚛𝚛𝚘𝚛: 𝙽𝚘𝚝𝙸𝚖𝚙𝚕𝚎𝚖𝚎𝚗𝚝𝚎𝚍𝙴𝚛𝚛𝚘𝚛: 𝚠𝚘𝚛𝚔𝚎𝚛_𝚝𝚑𝚛𝚎𝚊𝚍𝚜.𝚆𝚘𝚛𝚔𝚎𝚛({ 𝚜𝚝𝚍𝚘𝚞𝚝: 𝚝𝚛𝚞𝚎 }) 𝚒𝚜 𝚗𝚘𝚝 𝚢𝚎𝚝 𝚒𝚖𝚙𝚕𝚎𝚖𝚎𝚗𝚝𝚎𝚍 𝚒𝚗 𝙱𝚞𝚗.

@mwfowlie @bunjavascript It's not like federal workers are going to complain.

@bunjavascript If you don't fix node:worker_threads in v1.3.10, you might be. Hard to put you in the prod supply chain if we can't even run standard logging.

@Thinkwert @bunjavascript swag is getting out of control.