The one with the npm security stories

🇺🇦 #​437 — May 12, 2022

Read on the Web

Node Weekly

An Enhanced 2FA Experience for Your

Account — Over the past six months, GitHub has been keen to tighten up security around the publishing of

packages with two-factor authentication at the heart of the effort. Now an array of improved 2FA features are in public beta for you to try out, but all maintainers of the top 500 npm packages will be enrolled in a mandatory fashion on May 31.

Myles Borins (GitHub)

Couchbase Capella DBaaS: Store in JSON, access with SQL — Build faster with in-memory performance, automatic replication and scaling. Try it now for free and be live in under 3 minutes.

Couchbase sponsor

Ryan Dahl on JavaScript Containers — Ryan, originally known for Node and now Deno, thinks about JavaScript as being a universal scripting language and how the JS sandbox acts as a sort of high level version of the traditional Linux container and will only become more important in the next few years.

Ryan Dahl

Mystery of Industry-Focused Backdoored npm Packages Solved — Snyk, JFrog and ReversingLabs spent a fair bit of time investigating modules that were built by an intern at a security research company researching dependency confusion.

The Register

Quick bytes:

• 📅 NodeConf EU is taking place this October 3-5 in Ireland. There’s a call for speakers open until July 6 if you want to speak.

• The popular Jest JavaScript testing framework is joining the OpenJS Foundation.

• A common reason for new Node releases is the discovery of vulnerabilities in key dependencies like OpenSSL or (rarely) V8. OpenSSL has a new low severity one explained in this post by Rafael Gonzaga but it’s not significant enough to trigger new Node releases at this time.

• Node 16 LTS is now available on Vercel. Official AWS Lambda support is also just around the corner..

• If you’re wondering why 2FA is a big deal for npm, well.. buying expired domains to take over popular packages is a thing.

What’s Involved in Running a Ransomware Attack in a Node Module — What began as a learning experiment to see how difficult it would be turned into concern at how easy it was..

Charlie Gerard

Keep Up with the Latest in Startups, Tech, & Programming in Just 5 Min

TLDR Newsletter sponsor

How We Employed The New ES Module Support in TypeScript

Yonatan Kra

How to Use the GitHub Pulls API to Manage Pull Requests

Carlos Schults

Managing OAuth 2.0 User Credentials in Your Node App

Shehzad Akbar

GraphQL Yoga 2.0: A Light But Fully-Featured GraphQL Server — Bills itself as the ‘easiest way to run a GraphQL server’. Yoga follows the GraphQL over HTTP spec, supports file uploaded, subscriptions over HTTP Server Sent Events, and more – plus it’ll work on Node, Deno, or even serverlessly. GitHub repo.

Michał Tyszkiewicz

URL State Machine: A Fast Spec-Compliant URL State Machine — Aims to follow the WhatWG spec on the matter.

Yagiz Nizipli

Agenda 4.3: Lightweight Job Scheduling for Node — Uses a MongoDB-backed persistence layer and offers rate limiting, pause/resume, and repeatable jobs.

Ryan Schmukler

Data-Driven Edge Functions with Netlify and Polyscale.ai

PolyScale.ai sponsor

nve 15.0: Run Things With a Specific Node.js Version — Easily execute a file, command, or REPL using a specific version (or multiple versions) of Node. For example, you could run

over multiple versions at once.

ehmicky

Kafka.js 2.0: A Modern Apache Kafka Client — Production ready and supports Kafka 0.10+. (Kafka is a popular open source system for working with stream-processing at scale.) As the first major release in 4 years, there’s a migration guide for existing users.

Túlio Ornelas

The Official MongoDB Node.js Driver v4.6.0 — You can now define your own custom type for the top level document returned in a

event.

MongoDB Inc.

Hexo 6.2: A Fast and Simple Node.js Blog Framework

Hexo