January 29, 2022

What's in your package.json? (JS Party #210)

1 hour 9 minutes

Tobie Langel, Open source strategist and Principal at UnlockOpen, joins Chris, Feross, and Amal to discuss recent widespread incidents affecting the JavaScript community (and breaking CI builds) around the globe. Two widely used npm libraries were self-sabotaged by their single maintainer, yet again, highlighting the many gaps in our OSS supply chain security, sustainability and overall practices. We explore all these topics and solution on what our ecosystem needs to be more resilient to these types of attacks in the future.

Join the discussion

Changelog++ members save 3 minutes on this episode because they made the ads disappear. Join today!

Sponsors:

Sentry – Working code means happy customers. That’s exactly why teams choose Sentry. From error tracking to performance monitoring, Sentry helps teams see what actually matters, resolve problems quicker, and learn continuously about their applications - from the frontend to the backend. Use the code CHANGELOG and get the team plan free for three months.

Changelog++ – You love our content and you want to take it to the next level by showing your support. We’ll take you closer to the metal with no ads, extended episodes, outtakes, bonus content, a deep discount in our merch store (soon), and more to come. Let’s do this!

Fastly – Our bandwidth partner. Fastly powers fast, secure, and scalable digital experiences. Move beyond your content delivery network to their powerful edge cloud platform. Learn more at fastly.com

Featuring:

Tobie Langel – Website, GitHub, X
Amal Hussein – GitHub, X
Feross Aboukhadijeh – Website, GitHub, X
Christopher Hiller – Website, GitHub, Mastodon, X

Show Notes:

Open source developer corrupts widely-used libraries, affecting tons of projects - The Verge

Tobie’s tweet thread on this self-sabotage

Tobie’s talk on OSS Sustainability

Working in Public | A book by Nadia Eghbal

Four types of OSS projects mentioned in Nadia’s book

Renovate | A Dependency Management Bot

Dependabot | Another OSS Dependency Bot

Sustain OSS | A space for conversations about sustaining open source

Tidelift

SBOM - Software Bill of Materials (official US Government Site & Docs)

Software Bill of Materials’ — Not just good for security, good for business | The Hill

Executive Order on Improving the Nation’s Cybersecurity

Tidelift’s SBOM generation service

Popular NPM package UA-Parser-JS poisoned with cryptomining, password-stealing malware | The Daily Swig

Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure / Ford Foundation

Socket (Security project that Feross is working on)

Does open source need its own Priority of Constituencies?

Unlock Open

who accused me of co-founding npm

Something missing or broken? PRs welcome!

...more

View all episodes

By Changelog Media

4.4

2929 ratings