Haoqun Jiang
@haoqun.dev
@vuejs.org core team member.
@vite.dev core team emeritus.
Worked on JS tooling. Learning new things.
https://haoqun.dev/
@vite.dev core team emeritus.
Worked on JS tooling. Learning new things.
https://haoqun.dev/
Reposted by Haoqun Jiang
@pnpm.io getting better by the day
pnpm.io/blog/release...
I still can't believe that a one-person package manager is doing better than npm CLI, owned by a corporate, where the resources of the two projects are incomparable.
Draw your own conclusions.
pnpm.io/blog/release...
I still can't believe that a one-person package manager is doing better than npm CLI, owned by a corporate, where the resources of the two projects are incomparable.
Draw your own conclusions.
pnpm 10.21 | pnpm
Added support for Node.js runtime installation for dependencies and a setting for configuring trust policy.
pnpm.io
November 10, 2025 at 11:37 AM
@pnpm.io getting better by the day
pnpm.io/blog/release...
I still can't believe that a one-person package manager is doing better than npm CLI, owned by a corporate, where the resources of the two projects are incomparable.
Draw your own conclusions.
pnpm.io/blog/release...
I still can't believe that a one-person package manager is doing better than npm CLI, owned by a corporate, where the resources of the two projects are incomparable.
Draw your own conclusions.
Apple forgot to turn off sourcemaps when shipping their new App Store website lol github.com/rxliuli/apps...
github.com
November 4, 2025 at 8:14 AM
Apple forgot to turn off sourcemaps when shipping their new App Store website lol github.com/rxliuli/apps...
lmao 🤣
Status pages everywhere show green, because Statuspage.io is ALSO down: customers cannot log in to update their status page and indicate the outage their eng teams know about!!
So a fail for Statuspage to depend on an AWS region... or DynamoDB (that seems to depend one AWS region?)
So a fail for Statuspage to depend on an AWS region... or DynamoDB (that seems to depend one AWS region?)
October 20, 2025 at 9:23 AM
lmao 🤣
Reposted by Haoqun Jiang
Published an article about mitigating supply chain attacks with pnpm
pnpm.io/supply-chain...
pnpm.io/supply-chain...
Mitigating supply chain attacks | pnpm
Sometimes npm packages are compromised and published with malware. Luckily, there are companies like [Socket], [Snyk], and [Aikido] that detect these compromised packages early. The npm registry usually removes the affected versions within hours. However, there is always a window of time between when the malware is published and when it is detected, during which you could be exposed. Fortunately, there are some things you can do with pnpm to minimize the risks.
pnpm.io
September 16, 2025 at 8:32 AM
Published an article about mitigating supply chain attacks with pnpm
pnpm.io/supply-chain...
pnpm.io/supply-chain...
Reposted by Haoqun Jiang
some thoughts about the bloat introduced by edge-case first libraries
The bloat of edge-case first libraries
How building edge-case first led to bloated, overly-granular libraries and what we can do about it
43081j.com
September 9, 2025 at 12:58 PM
some thoughts about the bloat introduced by edge-case first libraries
Reposted by Haoqun Jiang
We encourage everyone to migrate from using npm publish tokens to trusted publisher!
github.com/e18e/ecosyst...
github.com/e18e/ecosyst...
August 15, 2025 at 6:41 AM
We encourage everyone to migrate from using npm publish tokens to trusted publisher!
github.com/e18e/ecosyst...
github.com/e18e/ecosyst...
Finally, finally! SALVATION HAS ARRIVED! Time to refactor every GitHub Actions workflow! 🎉
OMG - GitHub Actions now supports Yaml Anchors
This somehow means you can create Yaml variables and reuse common values in CI jobs
I thought I'd never see this day happen
This somehow means you can create Yaml variables and reuse common values in CI jobs
I thought I'd never see this day happen
August 4, 2025 at 5:01 PM
Finally, finally! SALVATION HAS ARRIVED! Time to refactor every GitHub Actions workflow! 🎉
Wow, this was unexpected. I've got mixed feelings, but huge congrats to the team!
I am delighted to announce that @vercel.com are investing in Nuxt!
they are backing our vision of the open web, hiring me as well as other core team members (@atinux.com, @pi0.io + @antfu.me), to continue to work full time on Nuxt
we remain independent — and our vision and ethos are not changing 💚
they are backing our vision of the open web, hiring me as well as other core team members (@atinux.com, @pi0.io + @antfu.me), to continue to work full time on Nuxt
we remain independent — and our vision and ethos are not changing 💚
July 8, 2025 at 2:14 PM
Wow, this was unexpected. I've got mixed feelings, but huge congrats to the team!
Finally. I wish the community could migrate from the `packageManager` field to `devEngines` following this - always pinning versions is good in theory but way too cumbersome in practice.
📌 Just hours ago, the Node.js TSC officially voted to stop distributing Corepack. Future Node.js releases (i.e. 25+) won’t include it, but it will remain available separately.
socket.dev/blog/node-js... #nodejs #javascript
socket.dev/blog/node-js... #nodejs #javascript
Node.js TSC Votes to Stop Distributing Corepack - Socket
Corepack will be phased out from future Node.js releases following a TSC vote.
socket.dev
March 20, 2025 at 9:59 AM
Finally. I wish the community could migrate from the `packageManager` field to `devEngines` following this - always pinning versions is good in theory but way too cumbersome in practice.
Reposted by Haoqun Jiang
This thing is so useful. Especially for security - ensuring the published package is actually what exists in the source
March 14, 2025 at 3:12 PM
This thing is so useful. Especially for security - ensuring the published package is actually what exists in the source
😮💨 Still paying down the tech debt that accumulated during the transition from non-scoped packages to scoped ones… I’m lucky to have subscribed to @lirantal.com’s Node.js security newsletter. It’s always informative!
- www.alxndrsn.com/2024-08-01-n...
- www.nodejs-security.com/newsletter/n...
- www.alxndrsn.com/2024-08-01-n...
- www.nodejs-security.com/newsletter/n...
February 24, 2025 at 2:50 PM
😮💨 Still paying down the tech debt that accumulated during the transition from non-scoped packages to scoped ones… I’m lucky to have subscribed to @lirantal.com’s Node.js security newsletter. It’s always informative!
- www.alxndrsn.com/2024-08-01-n...
- www.nodejs-security.com/newsletter/n...
- www.alxndrsn.com/2024-08-01-n...
- www.nodejs-security.com/newsletter/n...
Reposted by Haoqun Jiang
Speeding up the JavaScript ecosystem part 11 is here! This time we're looking at:
Extending Rust tools with JavaScript plugins
marvinh.dev/blog/speedin...
Extending Rust tools with JavaScript plugins
marvinh.dev/blog/speedin...
Speeding up the JavaScript ecosystem - Rust and JavaScript Plugins
Up until recently, supporting JavaScript in Rust based tools has been deemed not worth it. The main concern is the overhead of the de-/serialization cost when sending data back and forth. But there is...
marvinh.dev
February 23, 2025 at 3:37 PM
Speeding up the JavaScript ecosystem part 11 is here! This time we're looking at:
Extending Rust tools with JavaScript plugins
marvinh.dev/blog/speedin...
Extending Rust tools with JavaScript plugins
marvinh.dev/blog/speedin...
Looks like Reka UI, the rebranded Radix Vue component library, has just got officially released 👀 It's such a cool name. Can't wait to try it out!
Reka
An open-source library with unstyled, primitive components, accompanied by a variety of examples & use cases ready to be integrated into your projects.
reka-ui.com
February 21, 2025 at 6:01 AM
Looks like Reka UI, the rebranded Radix Vue component library, has just got officially released 👀 It's such a cool name. Can't wait to try it out!
#TIL So this is the fastest way to import an ES module in the Node.js REPL… How did I never know about the `_` (underscore) auto-assignment in the REPL?!
nodejs.org/api/repl.htm... So many wasted keystrokes over the years!
nodejs.org/api/repl.htm... So many wasted keystrokes over the years!
![Screenshot of Node.js REPL with the following text:
› await import ("./index.js")
[Module: null prototype] { oneTrueDate: [Function: oneTrueDate] }
_.oneTrueDate(new Date())
'2024-03-01'](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:oiawuf6mbqiigagveorctrsj/bafkreif2lzwfhgecpevk6dzjefczhn5evybe2tp5bagdzmjo2k7jq5mmze@jpeg)
February 16, 2025 at 3:13 PM
#TIL So this is the fastest way to import an ES module in the Node.js REPL… How did I never know about the `_` (underscore) auto-assignment in the REPL?!
nodejs.org/api/repl.htm... So many wasted keystrokes over the years!
nodejs.org/api/repl.htm... So many wasted keystrokes over the years!
Resurfacing this post now that pnpm 10 is tagged as latest.
I forked Bun's internal allowlist for those who need the protection from this new default but don't want to bother reviewing every dependency one-by-one: github.com/haoqunjiang/...
February 5, 2025 at 7:52 AM
Resurfacing this post now that pnpm 10 is tagged as latest.
@acemarke.dev Hi Mark, I just noticed that the Bluesky link on your GitHub profile is invalid since you changed your handle. Just wanted to give you a heads-up in case you'd like to update it
January 30, 2025 at 7:43 AM
@acemarke.dev Hi Mark, I just noticed that the Bluesky link on your GitHub profile is invalid since you changed your handle. Just wanted to give you a heads-up in case you'd like to update it
The discoveries are really cool, though
The gift that keeps on giving: predictors.fail
This is IMO a great example of why **process isolation is the only path to confidentiality on modern CPUs**. Site- (or origin-) process isolation continues to be the path.
Also note: the CPU is **not** the problem here IMO, it's doing exactly its job.
This is IMO a great example of why **process isolation is the only path to confidentiality on modern CPUs**. Site- (or origin-) process isolation continues to be the path.
Also note: the CPU is **not** the problem here IMO, it's doing exactly its job.
January 29, 2025 at 3:36 PM
The discoveries are really cool, though
Reposted by Haoqun Jiang
Vite 6.0.9 / 5.4.12 / 4.5.6 has been released with *breaking changes* due to security issues. I recommend upgrading it. Some users may need to update the config options. Please check github.com/vitejs/vite/... if you encountered any errors.
Any websites were able to send any requests to the development server and read the response
### Summary
Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket co...
github.com
January 20, 2025 at 10:51 AM
Vite 6.0.9 / 5.4.12 / 4.5.6 has been released with *breaking changes* due to security issues. I recommend upgrading it. Some users may need to update the config options. Please check github.com/vitejs/vite/... if you encountered any errors.
I forked Bun's internal allowlist for those who need the protection from this new default but don't want to bother reviewing every dependency one-by-one: github.com/haoqunjiang/...
January 16, 2025 at 7:40 AM
I forked Bun's internal allowlist for those who need the protection from this new default but don't want to bother reviewing every dependency one-by-one: github.com/haoqunjiang/...
Trying to make configuring ESLint + Vue + TypeScript a bit easier with a few helper functions, but I'm afraid it might be too intrusive: github.com/vuejs/eslint...
What's your opinion about this API?
What's your opinion about this API?
github.com
January 12, 2025 at 2:55 PM
Trying to make configuring ESLint + Vue + TypeScript a bit easier with a few helper functions, but I'm afraid it might be too intrusive: github.com/vuejs/eslint...
What's your opinion about this API?
What's your opinion about this API?
Reposted by Haoqun Jiang
pnpm can block lifecycle scripts of dependencies during installation. This is an opt-in feature though. Should we block them by default?
github.com/orgs/pnpm/di...
github.com/orgs/pnpm/di...
Should we block lifecycle script of dependencies during installation? · pnpm · Discussion #8918
There was recently an incident with rspack, where it was published with a postinstall script that contained malware. Such incidents happen from time to time, so it could be a good idea to stop runn...
github.com
December 28, 2024 at 2:36 PM
pnpm can block lifecycle scripts of dependencies during installation. This is an opt-in feature though. Should we block them by default?
github.com/orgs/pnpm/di...
github.com/orgs/pnpm/di...
SCOTUSblog IS HERE!!!
I’ve been missing them since they left X. As I don’t use TikTok, I’ve had no easy way to follow them (well, I don’t feel like checking websites regularly for updates). So glad to see this account again on a social network!
I’ve been missing them since they left X. As I don’t use TikTok, I’ve had no easy way to follow them (well, I don’t feel like checking websites regularly for updates). So glad to see this account again on a social network!
Good morning! We're expecting more opinions from the Supreme Court today at 10 EST. Follow along for live updates, a thread:
December 11, 2024 at 4:01 PM
SCOTUSblog IS HERE!!!
I’ve been missing them since they left X. As I don’t use TikTok, I’ve had no easy way to follow them (well, I don’t feel like checking websites regularly for updates). So glad to see this account again on a social network!
I’ve been missing them since they left X. As I don’t use TikTok, I’ve had no easy way to follow them (well, I don’t feel like checking websites regularly for updates). So glad to see this account again on a social network!
Generated a report for vuejs/core too: triagster.com/app/report/p...
Many of the duplicated issues already identified by team members, but the report itself is very interesting - it shows some recurring issues, some we'd forgot to add tests for when fixing them the first time…
Many of the duplicated issues already identified by team members, but the report itself is very interesting - it shows some recurring issues, some we'd forgot to add tests for when fixing them the first time…
December 9, 2024 at 8:29 AM
Generated a report for vuejs/core too: triagster.com/app/report/p...
Many of the duplicated issues already identified by team members, but the report itself is very interesting - it shows some recurring issues, some we'd forgot to add tests for when fixing them the first time…
Many of the duplicated issues already identified by team members, but the report itself is very interesting - it shows some recurring issues, some we'd forgot to add tests for when fixing them the first time…
Reposted by Haoqun Jiang
All things Vue this Black Friday 💚
Get The Ultimate Vue Bundle or Build Your Own to access courses & certificates you need at a great price.
Enjoy exclusive savings from @vueschool.io, @masteringnuxt.com, @masteringpinia.com, and @certificates.dev - all in one place.
👉 Get it now vuebundle.com
Get The Ultimate Vue Bundle or Build Your Own to access courses & certificates you need at a great price.
Enjoy exclusive savings from @vueschool.io, @masteringnuxt.com, @masteringpinia.com, and @certificates.dev - all in one place.
👉 Get it now vuebundle.com
The Ultimate Vue Bundle
Course bundles with all you will need to master the full Vue.js Ecosystem and the official Vue.js certification to prove it! Enjoy big savings the more you buy.
vuebundle.com
November 28, 2024 at 10:11 PM
All things Vue this Black Friday 💚
Get The Ultimate Vue Bundle or Build Your Own to access courses & certificates you need at a great price.
Enjoy exclusive savings from @vueschool.io, @masteringnuxt.com, @masteringpinia.com, and @certificates.dev - all in one place.
👉 Get it now vuebundle.com
Get The Ultimate Vue Bundle or Build Your Own to access courses & certificates you need at a great price.
Enjoy exclusive savings from @vueschool.io, @masteringnuxt.com, @masteringpinia.com, and @certificates.dev - all in one place.
👉 Get it now vuebundle.com
Wow, this looks polished!
November 28, 2024 at 6:42 AM
Wow, this looks polished!