July 07, 2023

The massive bug at the heart of npm (JS Party #282)

Listen Later

1 hour 3 minutes

Darcy Clarke, former GitHub Staff Engineering Manager and founder of vlt, joins us to discuss a major bug in the npm ecosystem that he recently disclosed. We cover the bug’s timeline, nuances, and impact, all while setting some important context on npm packages, clients, and registries. Tune in to learn how to protect your codebase and gain a deeper understanding of this crucial part of the JavaScript ecosystem.

Join the discussion

Changelog++ members save 2 minutes on this episode because they made the ads disappear. Join today!

Sponsors:

Fastly – Our bandwidth partner. Fastly powers fast, secure, and scalable digital experiences. Move beyond your content delivery network to their powerful edge cloud platform. Learn more at fastly.com

Fly.io – The home of Changelog.com — Deploy your apps and databases close to your users. In minutes you can run your Ruby, Go, Node, Deno, Python, or Elixir app (and databases!) all over the world. No ops required. Learn more at fly.io/changelog and check out the speedrun in their docs.

Typesense – Lightning fast, globally distributed Search-as-a-Service that runs in memory. You literally can’t get any faster!

Changelog News – A podcast+newsletter combo that’s brief, entertaining & always on-point. Subscribe today.

Featuring:

Darcy Clarke – Website, GitHub, LinkedIn, Mastodon, X
Amal Hussein – GitHub, X
Feross Aboukhadijeh – Website, GitHub, X

Show Notes:

Darcy / vlt’s blog post on this massive npm bug

Feross / Socket’s follow-up blog post in this issue

Refactor Conf - Darcy & Feross will be speaking in July

Verdaccio (not to be mistaken with Versace) - an open source npm registry proxy

Github layoffs for engineering team in India

Bug filled July 28th, 2022 related to binding.gyp and triaged on October 22nd, 2022

Darcy’s original test POC from Nov 2nd, 2022

Darcy’s POC from March 8th, 2023 which was used in the HackerOne report to Github

Legacy docs for npm publish params

Tool for checking packages for manifest mismatches

Great resource for security acronyms

Something missing or broken? PRs welcome!

...more

View all episodes

View all episodes

Download on the App Store

Download on the App Store

Get it on Google Play

Changelog Master Feed

By Changelog Media

4.4

2929 ratings

July 07, 2023

The massive bug at the heart of npm (JS Party #282)

Listen Later

1 hour 3 minutes

Darcy Clarke, former GitHub Staff Engineering Manager and founder of vlt, joins us to discuss a major bug in the npm ecosystem that he recently disclosed. We cover the bug’s timeline, nuances, and impact, all while setting some important context on npm packages, clients, and registries. Tune in to learn how to protect your codebase and gain a deeper understanding of this crucial part of the JavaScript ecosystem.

Join the discussion

Changelog++ members save 2 minutes on this episode because they made the ads disappear. Join today!

Sponsors:

Fastly – Our bandwidth partner. Fastly powers fast, secure, and scalable digital experiences. Move beyond your content delivery network to their powerful edge cloud platform. Learn more at fastly.com

Fly.io – The home of Changelog.com — Deploy your apps and databases close to your users. In minutes you can run your Ruby, Go, Node, Deno, Python, or Elixir app (and databases!) all over the world. No ops required. Learn more at fly.io/changelog and check out the speedrun in their docs.

Typesense – Lightning fast, globally distributed Search-as-a-Service that runs in memory. You literally can’t get any faster!

Changelog News – A podcast+newsletter combo that’s brief, entertaining & always on-point. Subscribe today.

Featuring:

Darcy Clarke – Website, GitHub, LinkedIn, Mastodon, X
Amal Hussein – GitHub, X
Feross Aboukhadijeh – Website, GitHub, X

Show Notes:

Darcy / vlt’s blog post on this massive npm bug

Feross / Socket’s follow-up blog post in this issue

Refactor Conf - Darcy & Feross will be speaking in July

Verdaccio (not to be mistaken with Versace) - an open source npm registry proxy

Github layoffs for engineering team in India

Bug filled July 28th, 2022 related to binding.gyp and triaged on October 22nd, 2022

Darcy’s original test POC from Nov 2nd, 2022

Darcy’s POC from March 8th, 2023 which was used in the HackerOne report to Github

Legacy docs for npm publish params

Tool for checking packages for manifest mismatches

Great resource for security acronyms

Something missing or broken? PRs welcome!

...more

More shows like Changelog Master Feed

Hanselminutes with Scott Hanselman by Scott Hanselman

Hanselminutes with Scott Hanselman

377 Listeners

Software Engineering Radio - the podcast for professional software developers by se-radio@computer.org

Software Engineering Radio - the podcast for professional software developers

272 Listeners

The Changelog: Software Development, Open Source by Changelog Media

The Changelog: Software Development, Open Source

284 Listeners

Thoughtworks Technology Podcast by Thoughtworks

Thoughtworks Technology Podcast

40 Listeners

Talk Python To Me by Michael Kennedy

Talk Python To Me

590 Listeners

Software Engineering Daily by Software Engineering Daily

Software Engineering Daily

621 Listeners

Python Bytes by Michael Kennedy and Brian Okken

Python Bytes

215 Listeners

Syntax - Tasty Web Development Treats by Wes Bos & Scott Tolinski - Full Stack JavaScript Web Developers

Syntax - Tasty Web Development Treats

987 Listeners

CoRecursive: Coding Stories by Adam Gordon Bell - Software Developer

CoRecursive: Coding Stories

189 Listeners

Kubernetes Podcast from Google by Abdel Sghiouar, Kaslin Fields

Kubernetes Podcast from Google

181 Listeners

Practical AI by Practical AI LLC

Practical AI

192 Listeners

The Stack Overflow Podcast by The Stack Overflow Podcast

The Stack Overflow Podcast

62 Listeners

Oxide and Friends by Oxide Computer Company

Oxide and Friends

47 Listeners

Latent Space: The AI Engineer Podcast by swyx + Alessio

Latent Space: The AI Engineer Podcast

75 Listeners

The Pragmatic Engineer by Gergely Orosz

The Pragmatic Engineer

53 Listeners