Darcy Clarke
@darcyclarke.me
@vlt.sh Founder & Chief End-User Officer
Prev: GitHub, npm & Themify Co-Founder
Prev: GitHub, npm & Themify Co-Founder
Agent skills are the new postinstall scripts... #changemymind
February 4, 2026 at 12:26 AM
Agent skills are the new postinstall scripts... #changemymind
What do people use to stay up to date with/monitor socials these days? My feed is 🔥 with AI tools & I feel like my meat brain & thumbs can't process the thousands of experiments/insights. Do I just spin up OpenClaw & make it monitor socials w/ daily recaps?
February 3, 2026 at 4:32 PM
What do people use to stay up to date with/monitor socials these days? My feed is 🔥 with AI tools & I feel like my meat brain & thumbs can't process the thousands of experiments/insights. Do I just spin up OpenClaw & make it monitor socials w/ daily recaps?
The @vlt.sh benchmark suite has been updated to include the yarn v6 canaries (still a WIP & improving all the time): benchmarks.vlt.sh
January 30, 2026 at 6:45 PM
The @vlt.sh benchmark suite has been updated to include the yarn v6 canaries (still a WIP & improving all the time): benchmarks.vlt.sh
Reposted by Darcy Clarke
I was recently on the Changelog podcast to talk about npm's security issues, what can be done, and why the npm registry is unique amongst programming language source code registries.
💥 New Changelog interview! changelog.fm/674
Changelog Interviews #674
As the creator and long-time maintainer of ESLint, Nicholas Zakas is well-positioned to criticize GitHub's recent response to npm's insecurity. He found the response insufficient, and has other ideas on how GitHub could secure npm better. On this episode, Nicholas details these ideas, paints a bleak picture of npm alte...
changelog.fm
January 29, 2026 at 4:52 PM
I was recently on the Changelog podcast to talk about npm's security issues, what can be done, and why the npm registry is unique amongst programming language source code registries.
Reposted by Darcy Clarke
nvm.sh users: please upgrade to github.com/nvm-sh/nvm/r... if you're using `wget` on your system, to fix a medium vulnerability (github.com/nvm-sh/nvm/s...).
Release v0.40.4 · nvm-sh/nvm
Bug Fixes
sanitize NVM_AUTH_HEADER in wget path
nvm_has_colors: also check if stdout is a terminal
nvm_strip_path: avoid gawk-specific RT variable for mawk compatibility
nvm_get_default_packages: ...
github.com
January 29, 2026 at 11:07 PM
nvm.sh users: please upgrade to github.com/nvm-sh/nvm/r... if you're using `wget` on your system, to fix a medium vulnerability (github.com/nvm-sh/nvm/s...).
Annnnnd it's gone. "Fed Rescinds Software Supply Chain Mandates Making SBOMs Optional". A lot of SecOps folks made a killing off this box checking. Hopefully they banked the money somewhere other than South Park: socket.dev/blog/federal...
a man in a suit and tie is sitting at a desk with a computer and the word and written on it
ALT: a man in a suit and tie is sitting at a desk with a computer and the word and written on it
media.tenor.com
January 29, 2026 at 7:55 PM
Annnnnd it's gone. "Fed Rescinds Software Supply Chain Mandates Making SBOMs Optional". A lot of SecOps folks made a killing off this box checking. Hopefully they banked the money somewhere other than South Park: socket.dev/blog/federal...
Reposted by Darcy Clarke
Darcy Clarke and Ruy Adorno are longtime npm CLI maintainers and Node.js contributors. They join @joshuakgoldberg.com to discuss vlt, a new package manager and registry designed to improve performance, security, and developer experience.
@darcyclarke.me
@ruyadorno.com
bit.ly/3YNGniF
@darcyclarke.me
@ruyadorno.com
bit.ly/3YNGniF
Next-Gen JavaScript Package Management with Ruy Adorno and Darcy Clarke - Software Engineering Daily
Package management sits at the foundation of modern software development, quietly powering nearly every software project in the world. Tools like npm and Yarn have long been the core of the JavaScript...
softwareengineeringdaily.com
January 22, 2026 at 10:34 AM
Darcy Clarke and Ruy Adorno are longtime npm CLI maintainers and Node.js contributors. They join @joshuakgoldberg.com to discuss vlt, a new package manager and registry designed to improve performance, security, and developer experience.
@darcyclarke.me
@ruyadorno.com
bit.ly/3YNGniF
@darcyclarke.me
@ruyadorno.com
bit.ly/3YNGniF
💙 20yrs since $(this) thing made you fall in love w/ the DOM & CSS selectors. Never forget the amazing work @johnresig.com & team did to make this happen & then ensure the awesomeness got standardized in Web APIs like querySelector() & querySelectorAll().
John, thanks for all the $ 😉
John, thanks for all the $ 😉
January 15, 2026 at 3:22 AM
💙 20yrs since $(this) thing made you fall in love w/ the DOM & CSS selectors. Never forget the amazing work @johnresig.com & team did to make this happen & then ensure the awesomeness got standardized in Web APIs like querySelector() & querySelectorAll().
John, thanks for all the $ 😉
John, thanks for all the $ 😉
Reposted by Darcy Clarke
@lukekarrys.com joins HalfStack Phoenix.
A practical story about building for kids, using NFC cards to control music, and turning everyday interactions into something playful and intuitive.
📅 𝐉𝐚𝐧𝐮𝐚𝐫𝐲 𝟑𝟎𝐭𝐡, 𝟐𝟎𝟐𝟔 — 𝐌𝐚𝐣𝐞𝐬𝐭𝐢𝐜 𝐓𝐡𝐞𝐚𝐭𝐞𝐫, 𝐆𝐢𝐥𝐛𝐞𝐫𝐭
🎟️ halfstackconf.com/phoenix
#HalfStackphoenix #TechEvents
A practical story about building for kids, using NFC cards to control music, and turning everyday interactions into something playful and intuitive.
📅 𝐉𝐚𝐧𝐮𝐚𝐫𝐲 𝟑𝟎𝐭𝐡, 𝟐𝟎𝟐𝟔 — 𝐌𝐚𝐣𝐞𝐬𝐭𝐢𝐜 𝐓𝐡𝐞𝐚𝐭𝐞𝐫, 𝐆𝐢𝐥𝐛𝐞𝐫𝐭
🎟️ halfstackconf.com/phoenix
#HalfStackphoenix #TechEvents
January 9, 2026 at 6:11 PM
@lukekarrys.com joins HalfStack Phoenix.
A practical story about building for kids, using NFC cards to control music, and turning everyday interactions into something playful and intuitive.
📅 𝐉𝐚𝐧𝐮𝐚𝐫𝐲 𝟑𝟎𝐭𝐡, 𝟐𝟎𝟐𝟔 — 𝐌𝐚𝐣𝐞𝐬𝐭𝐢𝐜 𝐓𝐡𝐞𝐚𝐭𝐞𝐫, 𝐆𝐢𝐥𝐛𝐞𝐫𝐭
🎟️ halfstackconf.com/phoenix
#HalfStackphoenix #TechEvents
A practical story about building for kids, using NFC cards to control music, and turning everyday interactions into something playful and intuitive.
📅 𝐉𝐚𝐧𝐮𝐚𝐫𝐲 𝟑𝟎𝐭𝐡, 𝟐𝟎𝟐𝟔 — 𝐌𝐚𝐣𝐞𝐬𝐭𝐢𝐜 𝐓𝐡𝐞𝐚𝐭𝐞𝐫, 𝐆𝐢𝐥𝐛𝐞𝐫𝐭
🎟️ halfstackconf.com/phoenix
#HalfStackphoenix #TechEvents
Reposted by Darcy Clarke
This just in: JavaScript uses memory.
a woman is standing in front of a sign that says news 4
ALT: a woman is standing in front of a sign that says news 4
media.tenor.com
December 22, 2025 at 3:44 PM
This just in: JavaScript uses memory.
Reposted by Darcy Clarke
I made something new: an eslint plugin to validate your npm ecosystem lockfiles! It supports npm, pnpm, yarn, bun, and vlt, and it's already helped find a supply chain security attack vector inside a fortune 500 tech company. www.npmjs.com/package/esli...
www.npmjs.com
December 22, 2025 at 7:16 AM
I made something new: an eslint plugin to validate your npm ecosystem lockfiles! It supports npm, pnpm, yarn, bun, and vlt, and it's already helped find a supply chain security attack vector inside a fortune 500 tech company. www.npmjs.com/package/esli...
GitHub's product leadership sure knows how to piss off developers these days
December 16, 2025 at 8:09 PM
GitHub's product leadership sure knows how to piss off developers these days
Reposted by Darcy Clarke
To recap, NPM allows 2FA TOTP token reuse within the token’s validity window.
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
Seems that NPM too allows TOTP reuse within the time-step window. Seen a similar issue in multiple services over the years.
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
December 12, 2025 at 1:08 PM
To recap, NPM allows 2FA TOTP token reuse within the token’s validity window.
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
Reposted by Darcy Clarke
Looking for a maintainer. Good opportunity if you want to manage a library with a lot of users
cc @reinhold.is I know storybook has its own version of this. Maybe they could be merged and managed in tandem?
cc @reinhold.is I know storybook has its own version of this. Maybe they could be merged and managed in tandem?
December 4, 2025 at 1:03 AM
Looking for a maintainer. Good opportunity if you want to manage a library with a lot of users
cc @reinhold.is I know storybook has its own version of this. Maybe they could be merged and managed in tandem?
cc @reinhold.is I know storybook has its own version of this. Maybe they could be merged and managed in tandem?
Who's going to be in Las Vegas this week for AWS re:Invent? Let's chat packages & supply chain security if you're here!
a cartoon of a man standing in front of a stack of cardboard boxes and the words what the
ALT: a cartoon of a man standing in front of a stack of cardboard boxes and the words what the
media.tenor.com
November 30, 2025 at 10:17 PM
Who's going to be in Las Vegas this week for AWS re:Invent? Let's chat packages & supply chain security if you're here!
Reposted by Darcy Clarke
The top licenses published on #npm .
Number #2 is interesting because it's not really a well-known one, but it's the default choice when running `npm init`, so it likely represents all the people that just pressed enter without having an opinion. [1/2]
Number #2 is interesting because it's not really a well-known one, but it's the default choice when running `npm init`, so it likely represents all the people that just pressed enter without having an opinion. [1/2]
November 26, 2025 at 8:43 PM
The top licenses published on #npm .
Number #2 is interesting because it's not really a well-known one, but it's the default choice when running `npm init`, so it likely represents all the people that just pressed enter without having an opinion. [1/2]
Number #2 is interesting because it's not really a well-known one, but it's the default choice when running `npm init`, so it likely represents all the people that just pressed enter without having an opinion. [1/2]
Reposted by Darcy Clarke
🚀 Here is @vlt.sh take on running lifecycle scripts on installs, adding another powerful capability to our query language syntax: blog.vlt.sh/blog/vlt-build
#javascript #nodejs #packages
#javascript #nodejs #packages
Introducing Phased Package Installations
When you run vlt install, packages are downloaded and extracted to node_modules, but no lifecycle scripts execute.
blog.vlt.sh
November 19, 2025 at 6:38 PM
🚀 Here is @vlt.sh take on running lifecycle scripts on installs, adding another powerful capability to our query language syntax: blog.vlt.sh/blog/vlt-build
#javascript #nodejs #packages
#javascript #nodejs #packages
Seriously? Y'all had no idea?! HMU if you want to know about the "weaknesses" or "blind spots" with npm/GitHub or your security vendors.
arstechnica.com/security/202...
arstechnica.com/security/202...
NPM flooded with malicious packages downloaded more than 86,000 times
Packages downloaded from NPM can fetch dependancies from untrusted sites.
arstechnica.com
October 30, 2025 at 12:11 AM
Seriously? Y'all had no idea?! HMU if you want to know about the "weaknesses" or "blind spots" with npm/GitHub or your security vendors.
arstechnica.com/security/202...
arstechnica.com/security/202...
Reposted by Darcy Clarke
Hello Internet @darcyclarke.me @wesbos.com
October 28, 2025 at 12:45 AM
Hello Internet @darcyclarke.me @wesbos.com
Reposted by Darcy Clarke
If you think npm's architecture is good, go watch @darcyclarke.me's talk. The dependency graph is complex and @vlt.sh is reinventing it in a smart and unique way. www.youtube.com/watch?v=o8nG...
The Registry is Dead, Long Live the Registry! - Darcy Clarke, vlt
YouTube video by OpenJS Foundation
www.youtube.com
October 22, 2025 at 10:01 PM
If you think npm's architecture is good, go watch @darcyclarke.me's talk. The dependency graph is complex and @vlt.sh is reinventing it in a smart and unique way. www.youtube.com/watch?v=o8nG...
Reposted by Darcy Clarke
Fantastic talk by @joyeecheung.bsky.social, a must watch to package authors that want to stay up-to-date on how to ship packages in this post require(esm) era: youtu.be/I0jvOJW7NaI #nodejs
Nordic.js 2025 • Joyee Cheung - Shipping Node.js packages in 2025
YouTube video by Nordic.js
youtu.be
October 21, 2025 at 2:24 AM
Fantastic talk by @joyeecheung.bsky.social, a must watch to package authors that want to stay up-to-date on how to ship packages in this post require(esm) era: youtu.be/I0jvOJW7NaI #nodejs
Reposted by Darcy Clarke
Huge thanks to the @vlt.sh team for building something new and refreshing in the world of package managers and taunting me with LEGO to try it out.
Join me and check them out: www.vlt.sh
Join me and check them out: www.vlt.sh
October 16, 2025 at 8:20 PM
Huge thanks to the @vlt.sh team for building something new and refreshing in the world of package managers and taunting me with LEGO to try it out.
Join me and check them out: www.vlt.sh
Join me and check them out: www.vlt.sh
👋🏻 If you're at @jsconf.bsky.social NA this week, come say hi to our team @vlt.sh ⚡📦 @ruyadorno.com, @lukekarrys.com & our Design Engineer (Jason Korol) will be there for both the conf & Node.js Collab Summit 🚀🐢
October 13, 2025 at 12:06 PM
👋🏻 If you're at @jsconf.bsky.social NA this week, come say hi to our team @vlt.sh ⚡📦 @ruyadorno.com, @lukekarrys.com & our Design Engineer (Jason Korol) will be there for both the conf & Node.js Collab Summit 🚀🐢
Why are @github.com tokens allowed to have no expiry but @npmjs.bsky.social are about to make every IT team's lives a living hell? This is just more security theatre. Think harder @microsoft.com.
October 10, 2025 at 8:29 PM
Why are @github.com tokens allowed to have no expiry but @npmjs.bsky.social are about to make every IT team's lives a living hell? This is just more security theatre. Think harder @microsoft.com.