cleaning house in nx monorepo, how i removed 120 unused deps safely Short version, I ran Knip across our Nx repo, took the “unused” list as a hint, deleted candidates, built, tested, booted apps, and put a few back when they were secretly used. Net, about 120 packages gone. Yarn install dropped by roughly a minute. Fewer CVE nags. Everyone slept better. the situationWe got a chunky Nx monorepo. Ro
Strengthening npm security: Important changes to authentication and token management As part of our ongoing commitment to securing the npm ecosystem, we’re implementing the first phase of security improvements outlined in our recent announcement. These changes will roll out over the coming five weeks completing by mid-November 2025 and require action from package maintainers. We’re taking this pha
9.0.0 (2025-09-23) Bug Fixes publish: ensure README file names are populated on package.json (#4211) (362875d) Features support OIDC trusted publishing (d51e344) OIDC trusted publishing is now supported by Lerna with no specification configuration required. A new guide has been added: https://lerna.js.org/docs/recipes/oidc-trusted-publishing A fully working example repo has been set up here https:
Open source software is the bedrock of the modern software industry. Its collaborative nature and vast ecosystem empower developers worldwide, driving efficiency and progress at an unprecedented scale. This scale also presents unique vulnerabilities that are continually tested and under attack by malicious actors, making the security of open source a critical concern for all. Transparency is centr
The Aikido Safe Chain prevents developers from installing malware on their workstations through npm, npx, yarn, pnpm and pnpx. It's free to use and does not require any token. The Aikido Safe Chain wraps around the npm cli, npx, yarn, pnpm, and pnpx to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm,
Software developers typically rely upon a large network of dependencies to build their applications. For instance, the NPM package repository contains over 3 million packages and serves tens of billions of downloads weekly. Understanding the structure and nature of packages, dependencies, and published code requires datasets that provide researchers with easy access to metadata and code of package
Executive SummaryThe NPM ecosystem is facing another critical supply chain attack. The popular @ctrl/tinycolor package, which receives over 2 million weekly downloads, has been compromised along with more than 40 other packages across multiple maintainers. This attack demonstrates a concerning evolution in supply chain threats - the malware includes a self-propagating mechanism that automatically
The DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions. The following packages and versions are affected: @duckdb/node-api@1.3.3 @duckdb/node-bindings@1.3.3 duckdb@1.3.3 @duckdb/duckdb-wasm@1.29.2 Note: The curr
Starting at September 8th, 13:16 UTC, our Aikido intel feed alerted us to a series packages being pushed to npm, which appeared to contains malicious code. These were 18 very popular packages, backslash (0.26m downloads per week)chalk-template (3.9m downloads per week)supports-hyperlinks (19.2m downloads per week)has-ansi (12.1m downloads per week)simple-swizzle (26.26m downloads per week)color-st
npm Trusted Publishingが2025年7月31日に一般公開されました。 これにより、OpenID Connect (OIDC)を使ってnpmトークンなしでCI/CDからnpmパッケージを公開できるようになりました。 npm trusted publishing with OIDC is generally available Trusted publishing for npm packages | npm Docs この記事では、npm Trusted Publishingの仕組みや設定方法、実際のリリースフローについて紹介します。 npm Trusted Publishingとは npm Trusted Publishingは、npmレジストリとCI/CD環境(GitHub ActionsやGitLab CI/CD)の間でOIDCベースの信頼関係を確立する仕組みです。
2025年8月26日、JavaScriptエコシステムで最も広く使用されているビルドツールの一つであるNxにおいて、複数の悪意のあるバージョンが攻撃者によって公開されてしまったことが話題になった。 socket.dev github.com 攻撃の概要 簡単に説明すると、 攻撃者が悪意のあるコードを含むNxライブラリを作成 Nx公式のnpmトークンを盗む 攻撃者がNx公式になり代わり、あたかも公式リリースかのように悪意のあるコードを含む最新バージョンを公開 利用者が最新版をダウンロードすることで、悪意のあるコードが実行される という感じだ。攻撃の影響や詳しい流れは本記事の守備範囲外のため、NotebookLMに簡潔にまとめてもらった内容を記載する。 1. GitHub Actionsワークフローの脆弱性悪用 攻撃者は pull_request_target トリガーを持つワークフローのBa
s1ngularity: supply chain attack leaks secrets on GitHub: everything you need to knowDetect and mitigate a critical supply chain compromise affecting the Nx NPM Package. Organizations should act urgently. Updated August 29th, 2PM UTC with details on the second phase of the attack On August 26, 2025, multiple malicious versions of the widely used Nx build system package were published to the npm re
As of today, npm trusted publishing with OpenID Connect (OIDC) is now generally available. This feature enables you to securely publish npm packages directly from CI/CD workflows using OpenID Connect (OIDC) for authentication, reducing the need to manage long-lived tokens. What’s new With trusted publishing, you can now: Publish packages without npm tokens: Configure your packages to accept publis
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く