Darcy Clarke
@darcyclarke.me
@vlt.sh Founder & Chief End-User Officer
Prev: GitHub, npm & Themify Co-Founder
Prev: GitHub, npm & Themify Co-Founder
Reposted by Darcy Clarke
This just in: JavaScript uses memory.
a woman is standing in front of a sign that says news 4
ALT: a woman is standing in front of a sign that says news 4
media.tenor.com
December 22, 2025 at 3:44 PM
This just in: JavaScript uses memory.
Reposted by Darcy Clarke
I made something new: an eslint plugin to validate your npm ecosystem lockfiles! It supports npm, pnpm, yarn, bun, and vlt, and it's already helped find a supply chain security attack vector inside a fortune 500 tech company. www.npmjs.com/package/esli...
www.npmjs.com
December 22, 2025 at 7:16 AM
I made something new: an eslint plugin to validate your npm ecosystem lockfiles! It supports npm, pnpm, yarn, bun, and vlt, and it's already helped find a supply chain security attack vector inside a fortune 500 tech company. www.npmjs.com/package/esli...
GitHub's product leadership sure knows how to piss off developers these days
December 16, 2025 at 8:09 PM
GitHub's product leadership sure knows how to piss off developers these days
Reposted by Darcy Clarke
To recap, NPM allows 2FA TOTP token reuse within the token’s validity window.
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
Seems that NPM too allows TOTP reuse within the time-step window. Seen a similar issue in multiple services over the years.
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
December 12, 2025 at 1:08 PM
To recap, NPM allows 2FA TOTP token reuse within the token’s validity window.
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
Reposted by Darcy Clarke
Looking for a maintainer. Good opportunity if you want to manage a library with a lot of users
cc @reinhold.is I know storybook has its own version of this. Maybe they could be merged and managed in tandem?
cc @reinhold.is I know storybook has its own version of this. Maybe they could be merged and managed in tandem?
December 4, 2025 at 1:03 AM
Looking for a maintainer. Good opportunity if you want to manage a library with a lot of users
cc @reinhold.is I know storybook has its own version of this. Maybe they could be merged and managed in tandem?
cc @reinhold.is I know storybook has its own version of this. Maybe they could be merged and managed in tandem?
Who's going to be in Las Vegas this week for AWS re:Invent? Let's chat packages & supply chain security if you're here!
a cartoon of a man standing in front of a stack of cardboard boxes and the words what the
ALT: a cartoon of a man standing in front of a stack of cardboard boxes and the words what the
media.tenor.com
November 30, 2025 at 10:17 PM
Who's going to be in Las Vegas this week for AWS re:Invent? Let's chat packages & supply chain security if you're here!
Reposted by Darcy Clarke
The top licenses published on #npm .
Number #2 is interesting because it's not really a well-known one, but it's the default choice when running `npm init`, so it likely represents all the people that just pressed enter without having an opinion. [1/2]
Number #2 is interesting because it's not really a well-known one, but it's the default choice when running `npm init`, so it likely represents all the people that just pressed enter without having an opinion. [1/2]
November 26, 2025 at 8:43 PM
The top licenses published on #npm .
Number #2 is interesting because it's not really a well-known one, but it's the default choice when running `npm init`, so it likely represents all the people that just pressed enter without having an opinion. [1/2]
Number #2 is interesting because it's not really a well-known one, but it's the default choice when running `npm init`, so it likely represents all the people that just pressed enter without having an opinion. [1/2]
Reposted by Darcy Clarke
🚀 Here is @vlt.sh take on running lifecycle scripts on installs, adding another powerful capability to our query language syntax: blog.vlt.sh/blog/vlt-build
#javascript #nodejs #packages
#javascript #nodejs #packages
Introducing Phased Package Installations
When you run vlt install, packages are downloaded and extracted to node_modules, but no lifecycle scripts execute.
blog.vlt.sh
November 19, 2025 at 6:38 PM
🚀 Here is @vlt.sh take on running lifecycle scripts on installs, adding another powerful capability to our query language syntax: blog.vlt.sh/blog/vlt-build
#javascript #nodejs #packages
#javascript #nodejs #packages
Seriously? Y'all had no idea?! HMU if you want to know about the "weaknesses" or "blind spots" with npm/GitHub or your security vendors.
arstechnica.com/security/202...
arstechnica.com/security/202...
NPM flooded with malicious packages downloaded more than 86,000 times
Packages downloaded from NPM can fetch dependancies from untrusted sites.
arstechnica.com
October 30, 2025 at 12:11 AM
Seriously? Y'all had no idea?! HMU if you want to know about the "weaknesses" or "blind spots" with npm/GitHub or your security vendors.
arstechnica.com/security/202...
arstechnica.com/security/202...
Reposted by Darcy Clarke
Hello Internet @darcyclarke.me @wesbos.com
October 28, 2025 at 12:45 AM
Hello Internet @darcyclarke.me @wesbos.com
Reposted by Darcy Clarke
If you think npm's architecture is good, go watch @darcyclarke.me's talk. The dependency graph is complex and @vlt.sh is reinventing it in a smart and unique way. www.youtube.com/watch?v=o8nG...
The Registry is Dead, Long Live the Registry! - Darcy Clarke, vlt
YouTube video by OpenJS Foundation
www.youtube.com
October 22, 2025 at 10:01 PM
If you think npm's architecture is good, go watch @darcyclarke.me's talk. The dependency graph is complex and @vlt.sh is reinventing it in a smart and unique way. www.youtube.com/watch?v=o8nG...
Reposted by Darcy Clarke
Fantastic talk by @joyeecheung.bsky.social, a must watch to package authors that want to stay up-to-date on how to ship packages in this post require(esm) era: youtu.be/I0jvOJW7NaI #nodejs
Nordic.js 2025 • Joyee Cheung - Shipping Node.js packages in 2025
YouTube video by Nordic.js
youtu.be
October 21, 2025 at 2:24 AM
Fantastic talk by @joyeecheung.bsky.social, a must watch to package authors that want to stay up-to-date on how to ship packages in this post require(esm) era: youtu.be/I0jvOJW7NaI #nodejs
Reposted by Darcy Clarke
Huge thanks to the @vlt.sh team for building something new and refreshing in the world of package managers and taunting me with LEGO to try it out.
Join me and check them out: www.vlt.sh
Join me and check them out: www.vlt.sh
October 16, 2025 at 8:20 PM
Huge thanks to the @vlt.sh team for building something new and refreshing in the world of package managers and taunting me with LEGO to try it out.
Join me and check them out: www.vlt.sh
Join me and check them out: www.vlt.sh
👋🏻 If you're at @jsconf.bsky.social NA this week, come say hi to our team @vlt.sh ⚡📦 @ruyadorno.com, @lukekarrys.com & our Design Engineer (Jason Korol) will be there for both the conf & Node.js Collab Summit 🚀🐢
October 13, 2025 at 12:06 PM
👋🏻 If you're at @jsconf.bsky.social NA this week, come say hi to our team @vlt.sh ⚡📦 @ruyadorno.com, @lukekarrys.com & our Design Engineer (Jason Korol) will be there for both the conf & Node.js Collab Summit 🚀🐢
Why are @github.com tokens allowed to have no expiry but @npmjs.bsky.social are about to make every IT team's lives a living hell? This is just more security theatre. Think harder @microsoft.com.
October 10, 2025 at 8:29 PM
Why are @github.com tokens allowed to have no expiry but @npmjs.bsky.social are about to make every IT team's lives a living hell? This is just more security theatre. Think harder @microsoft.com.
Reposted by Darcy Clarke
A year ago, @sentry.io launched the Open Source Pledge, with one singular goal: get maintainers paid.
A key pillar of the Pledge is it’s not a “pledge”, like an IOU. Rather, to join the Pledge, members come with receipts. Here’s why.
🧵
A key pillar of the Pledge is it’s not a “pledge”, like an IOU. Rather, to join the Pledge, members come with receipts. Here’s why.
🧵
October 8, 2025 at 4:06 PM
A year ago, @sentry.io launched the Open Source Pledge, with one singular goal: get maintainers paid.
A key pillar of the Pledge is it’s not a “pledge”, like an IOU. Rather, to join the Pledge, members come with receipts. Here’s why.
🧵
A key pillar of the Pledge is it’s not a “pledge”, like an IOU. Rather, to join the Pledge, members come with receipts. Here’s why.
🧵
Expecting "free speech" on private platforms where you don't control the means of distribution is the definition of insane. This goes for the "left" & the "right". There'll always be limits to your "rights" when dependent on others. The limit is what's palatable to those that fund the platform.
October 7, 2025 at 5:43 PM
Expecting "free speech" on private platforms where you don't control the means of distribution is the definition of insane. This goes for the "left" & the "right". There'll always be limits to your "rights" when dependent on others. The limit is what's palatable to those that fund the platform.
Reposted by Darcy Clarke
To honor a great friend and open-source pioneer Mikeal Rogers we're organizing a "conf" and charity auction.
I'll be auctioning an exclusive wagyu BBQ at my house for up to 15.
Join us and ideally offer more donations!
All proceeds go to his wife and 2 kids an-event-mikeal-would-have-liked.com
I'll be auctioning an exclusive wagyu BBQ at my house for up to 15.
Join us and ideally offer more donations!
All proceeds go to his wife and 2 kids an-event-mikeal-would-have-liked.com
An Event Mikeal Would Have Liked
Memorial charity event celebrating Mikeal Rogers' life - November 12, 2025
an-event-mikeal-would-have-liked.com
October 6, 2025 at 9:01 PM
To honor a great friend and open-source pioneer Mikeal Rogers we're organizing a "conf" and charity auction.
I'll be auctioning an exclusive wagyu BBQ at my house for up to 15.
Join us and ideally offer more donations!
All proceeds go to his wife and 2 kids an-event-mikeal-would-have-liked.com
I'll be auctioning an exclusive wagyu BBQ at my house for up to 15.
Join us and ideally offer more donations!
All proceeds go to his wife and 2 kids an-event-mikeal-would-have-liked.com
Reposted by Darcy Clarke
Just tested and it works with varlock.dev!
September 30, 2025 at 5:34 PM
Just tested and it works with varlock.dev!
Reposted by Darcy Clarke
please do fill this out! it's one of the good surveys and I always find taking it to be informative and fun. ✨
... and, if you're not always represented in surveys like this, it would be particularly good to hear your voice 🙏
... and, if you're not always represented in surveys like this, it would be particularly good to hear your voice 🙏
State of JS 2025
Christmas is only 3 months away, which means it is also time to take the State of JavaScript survey (again).
The more devs participate, the clearer the big picture will be in the end 🙌
Plus, you learn about features, libs, and frameworks you haven't heard before (or forgot about).
Christmas is only 3 months away, which means it is also time to take the State of JavaScript survey (again).
The more devs participate, the clearer the big picture will be in the end 🙌
Plus, you learn about features, libs, and frameworks you haven't heard before (or forgot about).
State of JavaScript 2025
Take the State of JavaScript survey
survey.devographics.com
September 29, 2025 at 3:57 PM
please do fill this out! it's one of the good surveys and I always find taking it to be informative and fun. ✨
... and, if you're not always represented in surveys like this, it would be particularly good to hear your voice 🙏
... and, if you're not always represented in surveys like this, it would be particularly good to hear your voice 🙏
Reposted by Darcy Clarke
A heads up to anyone attending the upcoming JSConf in October and locals to the Maryland state area. We're hosting the Node.js Collab Summit next October 17 and registration is now open for in-person participation: github.com/openjs-found...
September 24, 2025 at 3:18 PM
A heads up to anyone attending the upcoming JSConf in October and locals to the Maryland state area. We're hosting the Node.js Collab Summit next October 17 and registration is now open for in-person participation: github.com/openjs-found...
Reposted by Darcy Clarke
September 19, 2025 at 7:51 AM
Reposted by Darcy Clarke
Seeing the recent supply-chain attacks made me prioritize this item from our backlog as I wanted a quick way to know if any of my local projects have been affected.
Meet the new vlt client `:host()` Query selector:
blog.vlt.sh/blog/host-co...
#javascript #nodejs #packages
Meet the new vlt client `:host()` Query selector:
blog.vlt.sh/blog/host-co...
#javascript #nodejs #packages
Query Across Projects with the host selector
The host selector is a pseudo-selector that switches your current graph context to load dependencies from different project sources
blog.vlt.sh
September 18, 2025 at 7:39 PM
Seeing the recent supply-chain attacks made me prioritize this item from our backlog as I wanted a quick way to know if any of my local projects have been affected.
Meet the new vlt client `:host()` Query selector:
blog.vlt.sh/blog/host-co...
#javascript #nodejs #packages
Meet the new vlt client `:host()` Query selector:
blog.vlt.sh/blog/host-co...
#javascript #nodejs #packages
Reposted by Darcy Clarke
🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Ongoing Supply Chain Attack Targets CrowdStrike npm Packages...
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that previously hit Tinycolor and dozen...
socket.dev
September 16, 2025 at 6:15 PM
🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
ℹ️ Don't know who needs to hear this but npm has had a --before= flag since v6.9.0 (02/2019): github.com/npm/cli/blob/v…
Setting a relative date is easy w/:
$ npm install --before="$(date -v -7d)"
# & only get registry deps that are over a week olddocs.npmjs.com/cli/v11/usin...re
Setting a relative date is easy w/:
$ npm install --before="$(date -v -7d)"
# & only get registry deps that are over a week olddocs.npmjs.com/cli/v11/usin...re
https://github.com/npm/cli/blob/v…
September 16, 2025 at 2:10 PM
ℹ️ Don't know who needs to hear this but npm has had a --before= flag since v6.9.0 (02/2019): github.com/npm/cli/blob/v…
Setting a relative date is easy w/:
$ npm install --before="$(date -v -7d)"
# & only get registry deps that are over a week olddocs.npmjs.com/cli/v11/usin...re
Setting a relative date is easy w/:
$ npm install --before="$(date -v -7d)"
# & only get registry deps that are over a week olddocs.npmjs.com/cli/v11/usin...re