Lightnews — Scholar-powered news

Darcy Clarke @darcyclarke.me · 2d

👋🏻 If you're at @jsconf.bsky.social NA this week, come say hi to our team @vlt.sh ⚡📦 @ruyadorno.com, @lukekarrys.com & our Design Engineer (Jason Korol) will be there for both the conf & Node.js Collab Summit 🚀🐢

4 12

Darcy Clarke @darcyclarke.me · 4d

Let me know if you want to compare notes. I have a few *fun* examples you can use.

4

Darcy Clarke @darcyclarke.me · 4d

Why are @github.com tokens allowed to have no expiry but @npmjs.bsky.social are about to make every IT team's lives a living hell? This is just more security theatre. Think harder @microsoft.com.

1 4 14

Reposted by Darcy Clarke

Open Source Pledge ⇌ @opensourcepledge.com · 7d

A year ago, @sentry.io launched the Open Source Pledge, with one singular goal: get maintainers paid.

A key pillar of the Pledge is it’s not a “pledge”, like an IOU. Rather, to join the Pledge, members come with receipts. Here’s why.

🧵

Nasdaq Tower in Times Square NYC.

The tower (which is covered in LEDs) reads
NASDAQ CELEBRATES ONE YEAR OF THE OPEN SOURCE PLEDGE AND THE COMPANIES WHO PAY MAINTAINERS

Below the text are all the member logos of companies who are members. The full list of member companies can be found here: https://opensourcepledge.com/members/

2 7 28

Darcy Clarke @darcyclarke.me · 7d

Expecting "free speech" on private platforms where you don't control the means of distribution is the definition of insane. This goes for the "left" & the "right". There'll always be limits to your "rights" when dependent on others. The limit is what's palatable to those that fund the platform.

1

Reposted by Darcy Clarke

Malte Ubl @industrialempathy.com · 8d

To honor a great friend and open-source pioneer Mikeal Rogers we're organizing a "conf" and charity auction.

I'll be auctioning an exclusive wagyu BBQ at my house for up to 15.

Join us and ideally offer more donations!

All proceeds go to his wife and 2 kids an-event-mikeal-would-have-liked.com

An Event Mikeal Would Have Liked

Memorial charity event celebrating Mikeal Rogers' life - November 12, 2025

an-event-mikeal-would-have-liked.com

4 11

Darcy Clarke @darcyclarke.me · 11d

Blame Sentry

1

Reposted by Darcy Clarke

dmno.dev @dmno.bsky.social · 14d

Just tested and it works with varlock.dev!

1 3 5

Reposted by Darcy Clarke

daniel roooooohhh 👻 @danielroe.dev · 16d

please do fill this out! it's one of the good surveys and I always find taking it to be informative and fun. ✨

... and, if you're not always represented in surveys like this, it would be particularly good to hear your voice 🙏

Alexander Lichter @thealexlichter.com · 16d

State of JS 2025

Christmas is only 3 months away, which means it is also time to take the State of JavaScript survey (again).
The more devs participate, the clearer the big picture will be in the end 🙌

Plus, you learn about features, libs, and frameworks you haven't heard before (or forgot about).

State of JavaScript 2025

Take the State of JavaScript survey

survey.devographics.com

2 5 23

Reposted by Darcy Clarke

Ruy Adorno @ruyadorno.com · 21d

A heads up to anyone attending the upcoming JSConf in October and locals to the Maryland state area. We're hosting the Node.js Collab Summit next October 17 and registration is now open for in-person participation: github.com/openjs-found...

Node.js Collab Summit, October 17 2025, Chesapeake Bay, MD

4 5

Darcy Clarke @darcyclarke.me · 24d

I'm very happy we've got one in the @vlt.sh office. Gets a fair bit of use. Most of our designs/drawings all end up looking like toasters for some reason though...

1 2

Darcy Clarke @darcyclarke.me · 25d

Love it!

Reposted by Darcy Clarke

Sébastien Chopin @atinux.com · 26d

Been working with @pi0.io on a great DX for the upcoming v3 of @nitro.build

Stay tuned ⚡︎

A new way to create a Nitro x Vite application

1 6 49

Reposted by Darcy Clarke

Ruy Adorno @ruyadorno.com · 26d

Seeing the recent supply-chain attacks made me prioritize this item from our backlog as I wanted a quick way to know if any of my local projects have been affected.

Meet the new vlt client `:host()` Query selector:

blog.vlt.sh/blog/host-co...

#javascript #nodejs #packages

Query Across Projects with the host selector

The host selector is a pseudo-selector that switches your current graph context to load dependencies from different project sources

blog.vlt.sh

5 8

Darcy Clarke @darcyclarke.me · 27d

I'm sure the npm maintainers/community wouldn't mind if someone PR'd an expansion of --before to support relative date values &/or the --before-relative config proposed here: github.com/npm/rfcs/iss... I could be wrong though 🤷🏻‍♂️

[RRFC] expanding behavior of `--before` to support date adjustment and setting via config · Issue #559 · npm/rfcs

Motivation ("The Why") --before is an excellent feature for reliability as being able to run install in a project "as if it were in the past"... it has an additional benefit in that it can be used ...

github.com

1

Darcy Clarke @darcyclarke.me · 28d

bsky.app/profile/darc...

I'm sure most devs you work with have a bunch of stuff they run when their terminals spin up. Just tell them to add it to their .bashrc/.zshrc

Darcy Clarke @darcyclarke.me · 28d

Yes (via. `npm config set before=... --location=<global|user|project>`) but not the dynamic/relative date (see screenshot). That said, you can always add the `npm config set` command to your .bashrc/.zshrc file so the config updates every time you start a new terminal session (see second screenshot)

Darcy Clarke @darcyclarke.me · 28d

Not perfect by any measure but if you're stuck with npm for some reason this is a way make this work for you.

2

Darcy Clarke @darcyclarke.me · 28d

Yes (via. `npm config set before=... --location=<global|user|project>`) but not the dynamic/relative date (see screenshot). That said, you can always add the `npm config set` command to your .bashrc/.zshrc file so the config updates every time you start a new terminal session (see second screenshot)

2 3

Reposted by Darcy Clarke

Socket @socket.dev · 28d

🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.

Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript

Ongoing Supply Chain Attack Targets CrowdStrike npm Packages...

Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that previously hit Tinycolor and dozen...

socket.dev

1 15 30

Darcy Clarke @darcyclarke.me · 28d

This guy over here

2

Darcy Clarke @darcyclarke.me · 29d

Missed it, better to make more noise/PSAs then less given how infrequently I find people knowing about this

1 3

Darcy Clarke @darcyclarke.me · 29d

ℹ️ Don't know who needs to hear this but npm has had a --before= flag since v6.9.0 (02/2019): github.com/npm/cli/blob/v…

Setting a relative date is easy w/:
$ npm install --before="$(date -v -7d)"
# & only get registry deps that are over a week olddocs.npmjs.com/cli/v11/usin...re

https://github.com/npm/cli/blob/v…

3 10 43

Reposted by Darcy Clarke

Sarah Gooding @sarahgooding.bsky.social · 29d

These attacks used to be more rare, but now we're seeing popular packages getting compromised every week. Check your dependencies.

cc: @campuscodi.risky.biz

Socket @socket.dev · 29d

🚨 Malicious update to @ctrl/tinycolor on npm is part of an active supply chain attack hitting 40+ packages across multiple maintainers. Audit & remove affected versions.

Our analysis of the malware: socket.dev/blog/tinycol... #NodeJS #JavaScript

Malicious update to @ctrl/tinycolor on npm is part of a supply-chain attack hitting 40+ packages across maintainers

socket.dev

1 5 10

Darcy Clarke @darcyclarke.me · 29d

Good credentials != Good code...

1 7

Reposted by Darcy Clarke

Wes @notwes.bsky.social · 29d

Do not update to @ctrl/[email protected]. It has malware that is currently live on npm.

1 4 22