Changelog Master Feed artwork

The massive bug at the heart of npm (JS Party #282)

Changelog Master Feed

English - July 07, 2023 16:30 - 1 hour - 58.2 MB - ★★★★ - 28 ratings
Technology Education How To changelog open source oss software development developer hacker Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Previous Episode: Cambrian explosion of generative models (Practical AI #230)
Next Episode: Oracle smacks IBM over RHEL (Changelog News #52)

Darcy Clarke, former GitHub Staff Engineering Manager and founder of vlt, joins us to discuss a major bug in the npm ecosystem that he recently disclosed. We cover the bug’s timeline, nuances, and impact, all while setting some important context on npm packages, clients, and registries. Tune in to learn how to protect your codebase and gain a deeper understanding of this crucial part of the JavaScript ecosystem.

Darcy Clarke, former GitHub Staff Engineering Manager and founder of vlt, joins us to discuss a major bug in the npm ecosystem that he recently disclosed. We cover the bug’s timeline, nuances, and impact, all while setting some important context on npm packages, clients, and registries. Tune in to learn how to protect your codebase and gain a deeper understanding of this crucial part of the JavaScript ecosystem.

Leave us a comment

Changelog++ members save 2 minutes on this episode because they made the ads disappear. Join today!

Sponsors:



Fastly – Our bandwidth partner. Fastly powers fast, secure, and scalable digital experiences. Move beyond your content delivery network to their powerful edge cloud platform. Learn more at fastly.com
Fly.io – The home of Changelog.com — Deploy your apps and databases close to your users. In minutes you can run your Ruby, Go, Node, Deno, Python, or Elixir app (and databases!) all over the world. No ops required. Learn more at fly.io/changelog and check out the speedrun in their docs.
Typesense – Lightning fast, globally distributed Search-as-a-Service that runs in memory. You literally can’t get any faster!
Changelog News – A podcast+newsletter combo that’s brief, entertaining & always on-point. Subscribe today.

Featuring:


Darcy Clarke – Mastodon, Twitter, GitHub, LinkedIn, WebsiteAmal Hussein – Twitter, GitHubFeross Aboukhadijeh – Twitter, GitHub, Website

Show Notes:



Darcy / vlt’s blog post on this massive npm bug
Feross / Socket’s follow-up blog post in this issue
Refactor Conf - Darcy & Feross will be speaking in July
Verdaccio (not to be mistaken with Versace) - an open source npm registry proxy
Github layoffs for engineering team in India
Bug filled July 28th, 2022 related to binding.gyp and triaged on October 22nd, 2022
Darcy’s original test POC from Nov 2nd, 2022
Darcy’s POC from March 8th, 2023 which was used in the HackerOne report to Github
Legacy docs for npm publish params
Tool for checking packages for manifest mismatches
Great resource for security acronyms

Something missing or broken? PRs welcome!

Twitter Mentions