InfoQ Homepage NPM Content on InfoQ
-
Malicious PyPI Package Removes netstat, Tampers with SSH Config
A recent report by Sonatype security researcher Ax Sharma highlights newly discovered malicious packages on the PyPI registry, including aptx, which can install the Meterpreter trojan disguised as pip, delete the netstat system utility, and tamper with SSH authorized_keys file.
-
NPM Package Masquerading as Popular Material Tailwind Library To Install Malicious Code
Researchers at ReversingLabs discovered a malicious npm package masquerading as the Material Tailwind library. Their finding highlights a new trend for threat actors to install malicious code, dubbed impostor packages, say the researchers.
-
Securing the Open-Source Software Supply Chain
Recent findings by security researchers at SonarSource showed multiple security vulnerabilities in popular package managers, including Pip, Yarn, Composer, and others. Package managers, though, are not the only weak link in the open source security chain. InfoQ has spoken with Sonatype CTO Brian Fox.
-
Npm 7 Now Generally Available, Supports Workspaces and Deterministic Builds
The recently released npm 7 adds several features requested by developers, e.g. support for workspaces, better support for peer-dependency management, or deterministically reproducible builds. npm 7 is a big release that includes several breaking changes aiming at improving the overall developer experience.
-
The JavaScript Coder's Guide to Getting More from GitHub and Npm - GitHub Satellite 2020
Edward Thomson, npm product manager at GitHub, recently explained at GitHub Satellite 2020 the implications of npm joining GitHub for JavaScript developers and how to get the best out of GitHub for both open source and professional work.
-
GitHub to Acquire Npm in an Effort to Provide Continuity and Improvement
GitHub's CEO Nat Friedman has announced an agreement to buy npm, the default package manager for the Node.js ecosystem. Npm will remain free to use and will get the required investments to keep it fast and reliable, says Friedman, as well as more secure.
-
Npm, Inc. Announces Npm Pro for Independent JavaScript Developers
npm, Inc. recently announced the launch of npm Pro, designed for independent JavaScript developers. npm also rebranded its existing npm Orgs, which caters to teams of developers, as npm Teams.
-
Npm Bans Packages Which Display Ads via Its Command Line Interface
npm, Inc., the company behind the popular eponymous JavaScript package manager, will no longer allow packages which display ads. Developers will be able to silence terminal messages which push ads or call for donations, and which stem from the regular use of the npm command line interface.
-
Making 'npm install' Safe
At QCon New York 2019, Kate Sills, a software engineer at Agoric, discussed some of the security challenges in building composable smart contract components with JavaScript. Two emerging TC39 JavaScript proposals, realms and Secure ECMAScript (SES) were presented as solutions to security risks with the npm installation process.
-
NPM Adopted Rust to Remove Performance Bottlenecks
Npm exponential growth drove the npm engineering team to switch from Node.js to Rust to handle CPU-bound tasks that were going to become a performance bottleneck. A recent white paper overviews the experience of developing the new service in Rust and running it in production for more than one year.
-
JSUI, a UI Toolkit for Managing JavaScript Apps
JSUI introduces a visual tool for creating and managing JavaScript applications. The project provides utilities and features for both front-end and back-end applications, and most of its features are independent of underlying JavaScript frameworks.
-
Package Containing Malicious Backdoor Makes its Way into NPM
The NPM security team removed a package masquerading as a cookie parser that actually contained a malicious backdoor, along with three other packages depending on it. The backdoor allowed attackers to inject arbitrary code into a running server and execute it.
-
Node.js 10.0 and npm 6 Released with Emphasis on Security
On April 24 the Node.js project released version 10.0.0 of Node.js and npm, Inc released version 6.0 of npm. Both releases emphasized security improvements, with Node.js updating to OpenSSL version 1.1.0 and npm including new security-focused features such as the automatic alerting of insecure dependencies. The Node.js release also included a new native programming API and stable HTTP2 support.
-
Last Npm Incident Uncovers Security Vulnerability
Last week, the npm registry had an operations incident that caused a number of highly depended on packages, such as require-from-string, to become unavailable. While the incident was relatively straightforward to solve, it uncovered a major security vulnerability that could have been exploited to inject malicious code in projects using npm.
-
Yarn 1.0 Adds Workspaces, Auto-Merge and Selective Version Resolution
Almost a year ago we published the news Facebook Open Sources Yarn, a JavaScript Package Manager, introducing Yarn and the motivation behind its creation. The community has moved the project forward, releasing the first major version with workspaces, automatic merging, selective version resolution and many other features and fixes.