The one with the npm security stories
🇺🇦 #437 — May 12, 2022
An Enhanced 2FA Experience for Your npm Account — Over the past six months, GitHub has been keen to tighten up security around the publishing of npm packages with two-factor authentication at the heart of the effort. Now an array of improved 2FA features are in public beta for you to try out, but all maintainers of the top 500 npm packages will be enrolled in a mandatory fashion on May 31.
Myles Borins (GitHub)
Couchbase Capella DBaaS: Store in JSON, access with SQL — Build faster with in-memory performance, automatic replication and scaling. Try it now for free and be live in under 3 minutes.
Mystery of Industry-Focused Backdoored npm Packages Solved — Snyk, JFrog and ReversingLabs spent a fair bit of time investigating modules that were built by an intern at a security research company researching dependency confusion.
A common reason for new Node releases is the discovery of vulnerabilities in key dependencies like OpenSSL or (rarely) V8. OpenSSL has a new low severity one explained in this post by Rafael Gonzaga but it’s not significant enough to trigger new Node releases at this time.
If you’re wondering why 2FA is a big deal for npm, well.. buying expired domains to take over popular packages is a thing.
What’s Involved in Running a Ransomware Attack in a Node Module — What began as a learning experiment to see how difficult it would be turned into concern at how easy it was..
TLDR Newsletter sponsor
How to Use the GitHub Pulls API to Manage Pull Requests
Managing OAuth 2.0 User Credentials in Your Node App
🛠 Code & Tools
GraphQL Yoga 2.0: A Light But Fully-Featured GraphQL Server — Bills itself as the ‘easiest way to run a GraphQL server’. Yoga follows the GraphQL over HTTP spec, supports file uploaded, subscriptions over HTTP Server Sent Events, and more – plus it’ll work on Node, Deno, or even serverlessly. GitHub repo.
URL State Machine: A Fast Spec-Compliant URL State Machine — Aims to follow the WhatWG spec on the matter.
Agenda 4.3: Lightweight Job Scheduling for Node — Uses a MongoDB-backed persistence layer and offers rate limiting, pause/resume, and repeatable jobs.
nve 15.0: Run Things With a Specific Node.js Version — Easily execute a file, command, or REPL using a specific version (or multiple versions) of Node. For example, you could run npm test over multiple versions at once.
Kafka.js 2.0: A Modern Apache Kafka Client — Production ready and supports Kafka 0.10+. (Kafka is a popular open source system for working with stream-processing at scale.) As the first major release in 4 years, there’s a migration guide for existing users.
The Official MongoDB Node.js Driver v4.6.0 — You can now define your own custom type for the top level document returned in a change event.
Find Tech Jobs with Hired — Create a profile on Hired to connect with hiring managers at growing startups and Fortune 500 companies. It’s free for job-seekers.