GitHub - flatt-security/setup-takumi-guard-npm: GitHub Action to configure npm with Takumi Guard registry auth via OIDCYou signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert
npm bulk trusted publishing config and script security now generally available - GitHub Changelog
npm bulk trusted publishing config and script security now generally available Two new features are available today in npm CLI v11.10.0+: Bulk configuration for OIDC trusted publishing: Maintainers can now add or update trusted publishing configurations across multiple packages in a single operation using the npm trust command instead of configuring each package individually. New --allow-git flag
Introducing Phased Package Installations
Every time you run npm install, you're executing arbitrary code from potentially thousands of packages and package authors. "Install scripts" are run automatically, with full access to your system before you've even had a chance to review what's being installed. Unfortunately, this "download anything and run everything" model has been a security blind spot for years; that ends today. Today, we're
npm security update: Classic token creation disabled and granular token changes - GitHub Changelog
npm security update: Classic token creation disabled and granular token changes Editor’s note (November 5, 2025): We’ve updated this post to explicitly clarify that the affected tokens are npm tokens. Today marks another milestone in our ongoing effort to strengthen npm’s security. As previously announced, we’re implementing the first set of changes to npm’s token management system. Important: The
cleaning house in nx monorepo, how i removed 120 unused deps safely
cleaning house in nx monorepo, how i removed 120 unused deps safely Short version, I ran Knip across our Nx repo, took the “unused†list as a hint, deleted candidates, built, tested, booted apps, and put a few back when they were secretly used. Net, about 120 packages gone. Yarn install dropped by roughly a minute. Fewer CVE nags. Everyone slept better. the situationWe got a chunky Nx monorepo. Ro
Strengthening npm security: Important changes to authentication and token management - GitHub Changelog
Strengthening npm security: Important changes to authentication and token management As part of our ongoing commitment to securing the npm ecosystem, we’re implementing the first phase of security improvements outlined in our recent announcement. These changes will roll out over the coming five weeks completing by mid-November 2025 and require action from package maintainers. We’re taking this pha
Release v9.0.0 · lerna/lerna
9.0.0 (2025-09-23) Bug Fixes publish: ensure README file names are populated on package.json (#4211) (362875d) Features support OIDC trusted publishing (d51e344) OIDC trusted publishing is now supported by Lerna with no specification configuration required. A new guide has been added: https://lerna.js.org/docs/recipes/oidc-trusted-publishing A fully working example repo has been set up here https:
Our plan for a more secure npm supply chain
AI & MLLearn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry. Generative AILearn how to build with generative AI. GitHub CopilotChange how you work with GitHub Copilot. LLMsEverything developers need to know about LLMs. Machine learningMachine learning tips, tricks, and best practices. How AI code generation worksExplore the capabilities and be
npm-follower: A Complete Dataset Tracking the NPM Ecosystem
Software developers typically rely upon a large network of dependencies to build their applications. For instance, the NPM package repository contains over 3 million packages and serves tens of billions of downloads weekly. Understanding the structure and nature of packages, dependencies, and published code requires datasets that provide researchers with easy access to metadata and code of package
Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages - StepSecurity
Executive SummaryThe NPM ecosystem is facing another critical supply chain attack. The popular @ctrl/tinycolor package, which receives over 2 million weekly downloads, has been compromised along with more than 40 other packages across multiple maintainers. This attack demonstrates a concerning evolution in supply chain threats - the malware includes a self-propagating mechanism that automatically
DuckDB NPM packages 1.3.3 and 1.29.2 compromised with malware
The DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions. The following packages and versions are affected: @duckdb/node-api@1.3.3 @duckdb/[email protected] duckdb@1.3.3 @duckdb/duckdb-wasm@1.29.2 Note: The curr
npm debug and chalk packages compromised
Starting at September 8th, 13:16 UTC, our Aikido intel feed alerted us to a series packages being pushed to npm, which appeared to contains malicious code. These were 18 very popular packages, backslash (0.26m downloads per week)chalk-template (3.9m downloads per week)supports-hyperlinks (19.2m downloads per week)has-ansi (12.1m downloads per week)simple-swizzle (26.26m downloads per week)color-st
メンテナンス
ランã‚ング
ãŠçŸ¥ã‚‰ã›
リリースã€éšœå®³æƒ…å ±ãªã©ã®ã‚µãƒ¼ãƒ“スã®ãŠçŸ¥ã‚‰ã›
最新ã®äººæ°—エントリーã®é…ä¿¡
j次ã®ãƒ–ックマーク
kå‰ã®ãƒ–ックマーク
lã‚ã¨ã§èªã‚€
eコメント一覧を開ã
oページを開ã
npmx - Package Browser for the npm Registry
https://socket.dev/blog/npm-to-implement-staged-publishing
GitHub - danielroe/provenance-action: Fail CI when dependencies in your lockfile lose npm provenance or trusted publisher status
GitHub - bodadotsh/npm-security-best-practices: How to stay safe from NPM supply chain attacks
Introducing Socket Firewall: Free, Proactive Protection for Your Software Supply Chain
GitHub - antfu-collective/taze: 🥦 A modern cli tool that keeps your deps fresh
https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages
GitHub - AikidoSec/safe-chain: Protect against malicious code installed via npm, yarn, pnpm, npx, and pnpx with Aikido Safe Chain. Free to use, no tokens required.
{{#tags}}- {{label}}
{{/tags}}