Reposted by Dominykas Blyžė
❗️Node.js Security release pre-alert ❗️
We will release new versions of v20, v22, v24, v25 release lines on or shortly after the 15th of December 2025 in order to address:
* 3 high severity issues.
* 1 low severity issue.
* 1 medium severity issue.
nodejs.org/en/blog/vuln...
We will release new versions of v20, v22, v24, v25 release lines on or shortly after the 15th of December 2025 in order to address:
* 3 high severity issues.
* 1 low severity issue.
* 1 medium severity issue.
nodejs.org/en/blog/vuln...
Node.js — Monday, December 15, 2025 Security Releases
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
December 8, 2025 at 5:50 PM
❗️Node.js Security release pre-alert ❗️
We will release new versions of v20, v22, v24, v25 release lines on or shortly after the 15th of December 2025 in order to address:
* 3 high severity issues.
* 1 low severity issue.
* 1 medium severity issue.
nodejs.org/en/blog/vuln...
We will release new versions of v20, v22, v24, v25 release lines on or shortly after the 15th of December 2025 in order to address:
* 3 high severity issues.
* 1 low severity issue.
* 1 medium severity issue.
nodejs.org/en/blog/vuln...
Reposted by Dominykas Blyžė
Hey @react.dev or @nextjs.org
I did a unique Defensive Coding workshop at DEFCON and NodeConfEU that's exploring techniques to avoid prototype pollution attacks, no matter how powerful.
I'd be willing to run it for free for the teams around RSC.
Do I know anybody who could help arrange that?
I did a unique Defensive Coding workshop at DEFCON and NodeConfEU that's exploring techniques to avoid prototype pollution attacks, no matter how powerful.
I'd be willing to run it for free for the teams around RSC.
Do I know anybody who could help arrange that?
December 5, 2025 at 2:09 PM
Hey @react.dev or @nextjs.org
I did a unique Defensive Coding workshop at DEFCON and NodeConfEU that's exploring techniques to avoid prototype pollution attacks, no matter how powerful.
I'd be willing to run it for free for the teams around RSC.
Do I know anybody who could help arrange that?
I did a unique Defensive Coding workshop at DEFCON and NodeConfEU that's exploring techniques to avoid prototype pollution attacks, no matter how powerful.
I'd be willing to run it for free for the teams around RSC.
Do I know anybody who could help arrange that?
Am I getting it right: your so called president is pardoning a person convicted for drug trafficking, while blowing other alleged drug traffickers out of the water? And he will get away with it?
November 29, 2025 at 4:06 PM
Am I getting it right: your so called president is pardoning a person convicted for drug trafficking, while blowing other alleged drug traffickers out of the water? And he will get away with it?
Can't get over the fact that external security vendors are able to block malicious npm packages faster than Github.
November 27, 2025 at 7:19 PM
Can't get over the fact that external security vendors are able to block malicious npm packages faster than Github.
Reposted by Dominykas Blyžė
Folks would have seen a warning in sfw within minutes of the original publish, when automated scanning detected the potential malware and it was marked as “potential malware”. Further along in the malware campaign, human review was roughly happening in realtime, so sfw was blocking more quickly.
November 26, 2025 at 8:57 PM
Folks would have seen a warning in sfw within minutes of the original publish, when automated scanning detected the potential malware and it was marked as “potential malware”. Further along in the malware campaign, human review was roughly happening in realtime, so sfw was blocking more quickly.
Reposted by Dominykas Blyžė
every option, including "no 2FA at all", *can* be made secure. The problem is that it shouldn't even be POSSIBLE to publish insecurely - and either way, defaults matter.
OIDC and token-based publishing are default insecure, full stop.
OIDC and token-based publishing are default insecure, full stop.
November 26, 2025 at 8:07 PM
every option, including "no 2FA at all", *can* be made secure. The problem is that it shouldn't even be POSSIBLE to publish insecurely - and either way, defaults matter.
OIDC and token-based publishing are default insecure, full stop.
OIDC and token-based publishing are default insecure, full stop.
Reposted by Dominykas Blyžė
We need them to enforce it on OIDC publish or turn OIDC publish off until it can be enforced, and to treat this with the urgency it needs.
I want to be able to stop having this discussion every other week and go into the new year without more supply chain incidents over the holidays.
I want to be able to stop having this discussion every other week and go into the new year without more supply chain incidents over the holidays.
November 26, 2025 at 7:31 PM
We need them to enforce it on OIDC publish or turn OIDC publish off until it can be enforced, and to treat this with the urgency it needs.
I want to be able to stop having this discussion every other week and go into the new year without more supply chain incidents over the holidays.
I want to be able to stop having this discussion every other week and go into the new year without more supply chain incidents over the holidays.
Hello? Microsoft? Any humans still there?
November 26, 2025 at 2:19 PM
Hello? Microsoft? Any humans still there?
@socket.dev hey folks, it is a bit unclear from your post, but which of the recent attacks was sfw able to catch in practice?
November 25, 2025 at 7:12 AM
@socket.dev hey folks, it is a bit unclear from your post, but which of the recent attacks was sfw able to catch in practice?
Reposted by Dominykas Blyžė
> as in its current state it wouldn’t prevent attacks such as Shai-Hulud and other recent ones.
From our blog, almost like we knew. 🔮
openjsf.org/blog/publish...
From our blog, almost like we knew. 🔮
openjsf.org/blog/publish...
Publishing More Securely on npm: Guidance from the OpenJS Security Collaboration Space | OpenJS Foundation
The OpenJS Security Collaboration Space has been working closely with GitHub’s npm team to understand how new security features affect projects and maintainers, especially as threats and tools keep ev...
openjsf.org
November 24, 2025 at 7:58 PM
> as in its current state it wouldn’t prevent attacks such as Shai-Hulud and other recent ones.
From our blog, almost like we knew. 🔮
openjsf.org/blog/publish...
From our blog, almost like we knew. 🔮
openjsf.org/blog/publish...
"grok". He friggin ruined the perfectly great word "grok". What an asshole.
November 17, 2025 at 7:09 PM
"grok". He friggin ruined the perfectly great word "grok". What an asshole.
A lot of repos already have this information. Why are they being forced to put it in a different format in a different location for robots? Or did the robots get trained on human behavior to not read existing documentation?
github.blog/ai-and-ml/un...
github.blog/ai-and-ml/un...
Unlocking the full power of Copilot code review: Master your instructions files
Ready to make your code reviews smarter and easier? Learn how to structure your instructions files for better results, avoid common pitfalls, and see real-world examples to get started. 🚀
github.blog
November 14, 2025 at 7:26 PM
A lot of repos already have this information. Why are they being forced to put it in a different format in a different location for robots? Or did the robots get trained on human behavior to not read existing documentation?
github.blog/ai-and-ml/un...
github.blog/ai-and-ml/un...
Node.js is actually good now.
Opened a repo that has code that's probably some 7-8 years old, because it had a renovate PR for a while.
Closed the renovate PR and instead removed 6 dependencies, replacing them with built-ins.
Opened a repo that has code that's probably some 7-8 years old, because it had a renovate PR for a while.
Closed the renovate PR and instead removed 6 dependencies, replacing them with built-ins.
November 14, 2025 at 4:01 PM
Node.js is actually good now.
Opened a repo that has code that's probably some 7-8 years old, because it had a renovate PR for a while.
Closed the renovate PR and instead removed 6 dependencies, replacing them with built-ins.
Opened a repo that has code that's probably some 7-8 years old, because it had a renovate PR for a while.
Closed the renovate PR and instead removed 6 dependencies, replacing them with built-ins.
Reposted by Dominykas Blyžė
Not that anyone here needs to hear this, but for the record, in a democracy "people voted differently from the way I expected or hoped" does not constitute evidence of fraud, no matter how many pretty charts and graphs of "voting patterns" you make.
November 7, 2025 at 6:19 PM
Not that anyone here needs to hear this, but for the record, in a democracy "people voted differently from the way I expected or hoped" does not constitute evidence of fraud, no matter how many pretty charts and graphs of "voting patterns" you make.
Reposted by Dominykas Blyžė
October 20, 2025 at 9:56 AM
I was going to say that staying in your neighborhood on a Saturday is not a protest, but a picnic. However that video 😲
October 19, 2025 at 9:25 AM
I was going to say that staying in your neighborhood on a Saturday is not a protest, but a picnic. However that video 😲
Reposted by Dominykas Blyžė
To give some credit (I don’t mean to be so harsh) it is a series of *really deep* paper cuts. But the real ailment is internal bleeding, and neither bandaids (the right paper cut treatment) not the cast fix the problem.
We need forced 2FA supported from CI.
We need forced 2FA supported from CI.
October 14, 2025 at 11:44 AM
To give some credit (I don’t mean to be so harsh) it is a series of *really deep* paper cuts. But the real ailment is internal bleeding, and neither bandaids (the right paper cut treatment) not the cast fix the problem.
We need forced 2FA supported from CI.
We need forced 2FA supported from CI.
Reposted by Dominykas Blyžė
Someone should make one of these giant frog style costumes that looks like an Irish Mammy. Then you can protest as Aunt Aoife.
October 13, 2025 at 6:16 AM
Someone should make one of these giant frog style costumes that looks like an Irish Mammy. Then you can protest as Aunt Aoife.
Reposted by Dominykas Blyžė
Get a permanent access to publishing with a single factor as long as you publish from github but no 2fa totp for your setup that can't be stolen at scale.
October 10, 2025 at 11:21 PM
Get a permanent access to publishing with a single factor as long as you publish from github but no 2fa totp for your setup that can't be stolen at scale.
Reposted by Dominykas Blyžė
Why are @github.com tokens allowed to have no expiry but @npmjs.bsky.social are about to make every IT team's lives a living hell? This is just more security theatre. Think harder @microsoft.com.
October 10, 2025 at 8:29 PM
Why are @github.com tokens allowed to have no expiry but @npmjs.bsky.social are about to make every IT team's lives a living hell? This is just more security theatre. Think harder @microsoft.com.
Reposted by Dominykas Blyžė
copilot is smarter than ever (we no longer have accurate counts of pull requests on the pull requests tab)
October 9, 2025 at 3:02 PM
copilot is smarter than ever (we no longer have accurate counts of pull requests on the pull requests tab)
Reposted by Dominykas Blyžė
🚀 BIG NEWS: We just shipped @platformatic/python - run Python ASGI apps INSIDE your Node.js process!
This changes everything for AI/ML + Node.js apps 🧵
youtu.be/8eAAP9IF4xA
This changes everything for AI/ML + Node.js apps 🧵
youtu.be/8eAAP9IF4xA
Launching @platformatic/python: Bring Python ASGI to Your Node.js Applications
Today we are excited to ship @platformatic/python, a new capability for Watt, the Application Server for Node.js, that lets you run Python ASGI applications alongside your existing Node.js workloads.…
youtu.be
October 7, 2025 at 3:24 PM
🚀 BIG NEWS: We just shipped @platformatic/python - run Python ASGI apps INSIDE your Node.js process!
This changes everything for AI/ML + Node.js apps 🧵
youtu.be/8eAAP9IF4xA
This changes everything for AI/ML + Node.js apps 🧵
youtu.be/8eAAP9IF4xA
Wha?! How is this even possible? Almost 1 GiB per day? I don't even watch the videos or anything.
October 3, 2025 at 5:52 PM
Wha?! How is this even possible? Almost 1 GiB per day? I don't even watch the videos or anything.
Just received an SMS from an unknown number.
Moments after, Google changed that to show me the first and last name of the person.
How is this legal?
Moments after, Google changed that to show me the first and last name of the person.
How is this legal?
September 26, 2025 at 2:46 PM
Just received an SMS from an unknown number.
Moments after, Google changed that to show me the first and last name of the person.
How is this legal?
Moments after, Google changed that to show me the first and last name of the person.
How is this legal?