Changelog Master Feed

The massive bug at the heart of npm (JS Party #282)

Listen Later

Darcy Clarke, former GitHub Staff Engineering Manager and founder of vlt, joins us to discuss a major bug in the npm ecosystem that he recently disclosed. We cover the bug’s timeline, nuances, and impact, all while setting some important context on npm packages, clients, and registries. Tune in to learn how to protect your codebase and gain a deeper understanding of this crucial part of the JavaScript ecosystem.

Join the discussion

Changelog++ members save 2 minutes on this episode because they made the ads disappear. Join today!

Sponsors:

  • FastlyOur bandwidth partner. Fastly powers fast, secure, and scalable digital experiences. Move beyond your content delivery network to their powerful edge cloud platform. Learn more at fastly.com
  • Fly.ioThe home of Changelog.com — Deploy your apps and databases close to your users. In minutes you can run your Ruby, Go, Node, Deno, Python, or Elixir app (and databases!) all over the world. No ops required. Learn more at fly.io/changelog and check out the speedrun in their docs.
  • Typesense – Lightning fast, globally distributed Search-as-a-Service that runs in memory. You literally can’t get any faster!
  • Changelog News – A podcast+newsletter combo that’s brief, entertaining & always on-point. Subscribe today.

    • Featuring:

    • Darcy Clarke – Website, GitHub, LinkedIn, Mastodon, X
    • Amal Hussein – GitHub, X
    • Feross Aboukhadijeh – Website, GitHub, X

    Show Notes:

    • Darcy / vlt’s blog post on this massive npm bug
    • Feross / Socket’s follow-up blog post in this issue
    • Refactor Conf - Darcy & Feross will be speaking in July
    • Verdaccio (not to be mistaken with Versace) - an open source npm registry proxy
    • Github layoffs for engineering team in India
    • Bug filled July 28th, 2022 related to binding.gyp and triaged on October 22nd, 2022
    • Darcy’s original test POC from Nov 2nd, 2022
    • Darcy’s POC from March 8th, 2023 which was used in the HackerOne report to Github
    • Legacy docs for npm publish params
    • Tool for checking packages for manifest mismatches
    • Great resource for security acronyms

      • Something missing or broken? PRs welcome!

      ...more
      View all episodesView all episodes
      Download on the App Store
      Changelog Master FeedBy Changelog Media
      • 4.4
      • 4.4
      • 4.4
      • 4.4
      • 4.4

      4.4

      29 ratings

      More shows like Changelog Master Feed

      View all
      Software Engineering Radio - the podcast for professional software developers by team@se-radio.net (SE-Radio Team)

      Software Engineering Radio - the podcast for professional software developers

      274 Listeners

      Hanselminutes with Scott Hanselman by Scott Hanselman

      Hanselminutes with Scott Hanselman

      381 Listeners

      The Changelog: Software Development, Open Source by Changelog Media

      The Changelog: Software Development, Open Source

      288 Listeners

      Software Engineering Daily by Software Engineering Daily

      Software Engineering Daily

      627 Listeners

      Talk Python To Me by Michael Kennedy

      Talk Python To Me

      582 Listeners

      Soft Skills Engineering by Jamison Dance and Dave Smith

      Soft Skills Engineering

      288 Listeners

      Thoughtworks Technology Podcast by Thoughtworks

      Thoughtworks Technology Podcast

      43 Listeners

      The TWIML AI Podcast (formerly This Week in Machine Learning & Artificial Intelligence) by Sam Charrington

      The TWIML AI Podcast (formerly This Week in Machine Learning & Artificial Intelligence)

      436 Listeners

      Syntax - Tasty Web Development Treats by Wes Bos & Scott Tolinski - Full Stack JavaScript Web Developers

      Syntax - Tasty Web Development Treats

      989 Listeners

      CoRecursive: Coding Stories by Adam Gordon Bell - Software Developer

      CoRecursive: Coding Stories

      189 Listeners

      Kubernetes Podcast from Google by Abdel Sghiouar, Kaslin Fields

      Kubernetes Podcast from Google

      180 Listeners

      Practical AI by Practical AI LLC

      Practical AI

      205 Listeners

      The Stack Overflow Podcast by The Stack Overflow Podcast

      The Stack Overflow Podcast

      63 Listeners

      Big Technology Podcast by Alex Kantrowitz

      Big Technology Podcast

      501 Listeners

      Oxide and Friends by Oxide Computer Company

      Oxide and Friends

      66 Listeners