John-David Dalton
@jddalton.bsky.social
Lodash creator • sometimes TC39 delegate • protecting supply chains at https://Socket.dev • Ex (Bun, Salesforce, Node core, Electron WG, Microsoft)
Reposted by John-David Dalton
🚀 pnpm v10.21 is out!
This release introduces two powerful new security & compatibility features:
1️⃣ Automatic Node.js runtime installation for dependencies
2️⃣ Configurable trust policy for detecting supply-chain downgrades
🧵👇
This release introduces two powerful new security & compatibility features:
1️⃣ Automatic Node.js runtime installation for dependencies
2️⃣ Configurable trust policy for detecting supply-chain downgrades
🧵👇
November 10, 2025 at 3:18 PM
🚀 pnpm v10.21 is out!
This release introduces two powerful new security & compatibility features:
1️⃣ Automatic Node.js runtime installation for dependencies
2️⃣ Configurable trust policy for detecting supply-chain downgrades
🧵👇
This release introduces two powerful new security & compatibility features:
1️⃣ Automatic Node.js runtime installation for dependencies
2️⃣ Configurable trust policy for detecting supply-chain downgrades
🧵👇
"Let me use sed" is the new "Hold my beer"
November 3, 2025 at 12:39 PM
"Let me use sed" is the new "Hold my beer"
Reposted by John-David Dalton
Lodash is entering a new chapter 📖 With investment from @sovereign.tech the project is getting key updates for security, modernization, and community-led governance.
Details: hubs.la/Q03NrdfR0
Details: hubs.la/Q03NrdfR0
October 14, 2025 at 1:08 PM
Lodash is entering a new chapter 📖 With investment from @sovereign.tech the project is getting key updates for security, modernization, and community-led governance.
Details: hubs.la/Q03NrdfR0
Details: hubs.la/Q03NrdfR0
Reposted by John-David Dalton
Introducing Socket Firewall: free, proactive protection for your software supply chain
@dale.link @socket.dev
socket.dev/blog/introdu...
#ECMAScript #JavaScript
@dale.link @socket.dev
socket.dev/blog/introdu...
#ECMAScript #JavaScript
Introducing Socket Firewall: Free, Proactive Protection for ...
Socket Firewall is a free tool that blocks malicious packages at install time, giving developers proactive protection against rising supply chain atta...
socket.dev
October 7, 2025 at 2:22 AM
Introducing Socket Firewall: free, proactive protection for your software supply chain
@dale.link @socket.dev
socket.dev/blog/introdu...
#ECMAScript #JavaScript
@dale.link @socket.dev
socket.dev/blog/introdu...
#ECMAScript #JavaScript
Reposted by John-David Dalton
🚀 Socket now integrates with Bun 1.3’s new Security Scanner API! @bun.sh users can now protect their projects from malicious packages, typosquatting, & other supply chain attacks. Great to see Bun moving fast to protect devs with this new API!
socket.dev/blog/socket-...
socket.dev/blog/socket-...
Socket Integrates With Bun 1.3’s Security Scanner API - Sock...
Socket now integrates with Bun 1.3’s Security Scanner API to block risky packages at install time and enforce your organization’s policies in local de...
socket.dev
October 10, 2025 at 11:08 PM
🚀 Socket now integrates with Bun 1.3’s new Security Scanner API! @bun.sh users can now protect their projects from malicious packages, typosquatting, & other supply chain attacks. Great to see Bun moving fast to protect devs with this new API!
socket.dev/blog/socket-...
socket.dev/blog/socket-...
Reposted by John-David Dalton
🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Ongoing Supply Chain Attack Targets CrowdStrike npm Packages...
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that previously hit Tinycolor and dozen...
socket.dev
September 16, 2025 at 6:15 PM
🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Reposted by John-David Dalton
After recent npm supply chain attacks, @pnpm.io 10.16 adds a setting for delayed dependency updates.
Tools like Taze and npm-check-updates are testing similar “maturity” options, hinting at a cautious new trend in #JavaScript package management.
socket.dev/blog/pnpm-10... #NodeJS
Tools like Taze and npm-check-updates are testing similar “maturity” options, hinting at a cautious new trend in #JavaScript package management.
socket.dev/blog/pnpm-10... #NodeJS
pnpm 10.16 Adds New Setting for Delayed Dependency Updates -...
pnpm's new minimumReleaseAge setting delays package updates to prevent supply chain attacks, with other tools like Taze and NCU following suit.
socket.dev
September 15, 2025 at 6:28 PM
After recent npm supply chain attacks, @pnpm.io 10.16 adds a setting for delayed dependency updates.
Tools like Taze and npm-check-updates are testing similar “maturity” options, hinting at a cautious new trend in #JavaScript package management.
socket.dev/blog/pnpm-10... #NodeJS
Tools like Taze and npm-check-updates are testing similar “maturity” options, hinting at a cautious new trend in #JavaScript package management.
socket.dev/blog/pnpm-10... #NodeJS
Reposted by John-David Dalton
In the past week "minimumReleaseAge" was added to pnpm 10.16.0 and also "maturity-period" added to taze 19.6.0 🙌
September 13, 2025 at 2:20 PM
In the past week "minimumReleaseAge" was added to pnpm 10.16.0 and also "maturity-period" added to taze 19.6.0 🙌
Reposted by John-David Dalton
pnpm v10.16.0 adds "minimumReleaseAge", a setting for defining how long a version has to have been published before pnpm will install it.
A nice countermeasure against accidental installs of short-lived compromised packages before they get taken down. Not a 100% fix, but a great additional step!
A nice countermeasure against accidental installs of short-lived compromised packages before they get taken down. Not a 100% fix, but a great additional step!
Release pnpm 10.16 · pnpm/pnpm
Minor Changes
There have been several incidents recently where popular packages were successfully attacked. To reduce the risk of installing a compromised version, we are introducing a new settin...
github.com
September 12, 2025 at 10:49 PM
pnpm v10.16.0 adds "minimumReleaseAge", a setting for defining how long a version has to have been published before pnpm will install it.
A nice countermeasure against accidental installs of short-lived compromised packages before they get taken down. Not a 100% fix, but a great additional step!
A nice countermeasure against accidental installs of short-lived compromised packages before they get taken down. Not a 100% fix, but a great additional step!
Reposted by John-David Dalton
Reposted by John-David Dalton
🚨 Using setImmediate() in your Node.js apps? You might be creating silent performance bombs that only explode in production.
Our latest webinar breaks down why this "simple" async function is one of the most misunderstood tools in Node.js 🧵👇
Our latest webinar breaks down why this "simple" async function is one of the most misunderstood tools in Node.js 🧵👇
August 22, 2025 at 3:59 PM
🚨 Using setImmediate() in your Node.js apps? You might be creating silent performance bombs that only explode in production.
Our latest webinar breaks down why this "simple" async function is one of the most misunderstood tools in Node.js 🧵👇
Our latest webinar breaks down why this "simple" async function is one of the most misunderstood tools in Node.js 🧵👇
Reposted by John-David Dalton
URLPattern is about to land in all browsers! 🎉
The only problem is it's slow to match URLs against a large set of patterns by linearly scanning.
So I just made url-pattern-list: a utility that parses patterns into a efficient prefix-tree for 2-30x faster matching! 😲
www.npmjs.com/package/url-...
The only problem is it's slow to match URLs against a large set of patterns by linearly scanning.
So I just made url-pattern-list: a utility that parses patterns into a efficient prefix-tree for 2-30x faster matching! 😲
www.npmjs.com/package/url-...
url-pattern-list
Efficiently match URLs against a collection of URL patterns. Latest version: 0.5.0, last published: 12 minutes ago. Start using url-pattern-list in your project by running `npm i url-pattern-list`. Th...
www.npmjs.com
August 13, 2025 at 10:23 PM
URLPattern is about to land in all browsers! 🎉
The only problem is it's slow to match URLs against a large set of patterns by linearly scanning.
So I just made url-pattern-list: a utility that parses patterns into a efficient prefix-tree for 2-30x faster matching! 😲
www.npmjs.com/package/url-...
The only problem is it's slow to match URLs against a large set of patterns by linearly scanning.
So I just made url-pattern-list: a utility that parses patterns into a efficient prefix-tree for 2-30x faster matching! 😲
www.npmjs.com/package/url-...
Reposted by John-David Dalton
🚨 Active supply chain attack on npm:
Multiple Prettier tooling packages were compromised through the phishing campaign we published about just hours ago. Watch out for more compromised accounts and malicious packages.
Follow-up: socket.dev/blog/npm-phi... #nodejs #npm
Multiple Prettier tooling packages were compromised through the phishing campaign we published about just hours ago. Watch out for more compromised accounts and malicious packages.
Follow-up: socket.dev/blog/npm-phi... #nodejs #npm
Active Supply Chain Attack: npm Phishing Campaign Leads to P...
Popular npm packages like eslint-config-prettier were compromised after a phishing attack stole a maintainer’s token, spreading malicious updates.
socket.dev
July 19, 2025 at 1:02 AM
🚨 Active supply chain attack on npm:
Multiple Prettier tooling packages were compromised through the phishing campaign we published about just hours ago. Watch out for more compromised accounts and malicious packages.
Follow-up: socket.dev/blog/npm-phi... #nodejs #npm
Multiple Prettier tooling packages were compromised through the phishing campaign we published about just hours ago. Watch out for more compromised accounts and malicious packages.
Follow-up: socket.dev/blog/npm-phi... #nodejs #npm
Reposted by John-David Dalton
We're thrilled to announce the first stable release of Oxlint - version 1.0!
Our Rust-powered JavaScript/TypeScript linter delivers 50~100x faster performance than ESLint with 500+ rules and zero configuration required.
Time to give it a try!
voidzero.dev/posts/announ...
Our Rust-powered JavaScript/TypeScript linter delivers 50~100x faster performance than ESLint with 500+ rules and zero configuration required.
Time to give it a try!
voidzero.dev/posts/announ...
Announcing Oxlint 1.0
The first stable version of Oxlint, a fast & easy-to-use Rust-powered linter for JavaScript and TypeScript, is out. Learn about its 50~100x speed advantage over ESLint, support for 500+ rules, real-wo...
voidzero.dev
June 10, 2025 at 10:14 AM
We're thrilled to announce the first stable release of Oxlint - version 1.0!
Our Rust-powered JavaScript/TypeScript linter delivers 50~100x faster performance than ESLint with 500+ rules and zero configuration required.
Time to give it a try!
voidzero.dev/posts/announ...
Our Rust-powered JavaScript/TypeScript linter delivers 50~100x faster performance than ESLint with 500+ rules and zero configuration required.
Time to give it a try!
voidzero.dev/posts/announ...
Reposted by John-David Dalton
A tip I learned from a client this week: Before closing out an AI agent coding session, ask the agent to update your copilot-instructions.md file with what it learned. That saves time by adding context for future prompts.
May 9, 2025 at 4:10 PM
A tip I learned from a client this week: Before closing out an AI agent coding session, ask the agent to update your copilot-instructions.md file with what it learned. That saves time by adding context for future prompts.
Reposted by John-David Dalton
github.com/eslint/eslin...
It is *wild* how simple that change is for that kind of startup perf boost 😍
It is *wild* how simple that change is for that kind of startup perf boost 😍
April 28, 2025 at 5:55 PM
github.com/eslint/eslin...
It is *wild* how simple that change is for that kind of startup perf boost 😍
It is *wild* how simple that change is for that kind of startup perf boost 😍
Reposted by John-David Dalton
ESLint enables the V8 compile cache by default in Node.js v22+. The result on my machine is a load time reduction of around 90%.
April 28, 2025 at 5:43 PM
ESLint enables the V8 compile cache by default in Node.js v22+. The result on my machine is a load time reduction of around 90%.
Reposted by John-David Dalton
a game where you play a buddy duo called Chick and Nugget
- sick 3D platformer!
- everything is made out of crafting materials
- levels open, unfold, rotate
- theme song by Banjo-Kazooie composer
- voice cast ft the voice of Sly Cooper
PaperKlay, coming 27th May, please DM for codes
- sick 3D platformer!
- everything is made out of crafting materials
- levels open, unfold, rotate
- theme song by Banjo-Kazooie composer
- voice cast ft the voice of Sly Cooper
PaperKlay, coming 27th May, please DM for codes
May 8, 2025 at 2:40 PM
a game where you play a buddy duo called Chick and Nugget
- sick 3D platformer!
- everything is made out of crafting materials
- levels open, unfold, rotate
- theme song by Banjo-Kazooie composer
- voice cast ft the voice of Sly Cooper
PaperKlay, coming 27th May, please DM for codes
- sick 3D platformer!
- everything is made out of crafting materials
- levels open, unfold, rotate
- theme song by Banjo-Kazooie composer
- voice cast ft the voice of Sly Cooper
PaperKlay, coming 27th May, please DM for codes
Reposted by John-David Dalton
ECMAScript excitement 😉
Node.js 24 LTS ships these new JS features 🎉
🔶 Atomics.pause
🔶 Error.isError
🔶 Explicit Resource Management (`using`)
🔶 Float16Array
🔶 Intl.DurationFormat
🔶 Promise.try
🔶 RegExp.escape
🔶 RegExp Modifiers
🔶 RegExp Duplicate Named Capture Groups
Node.js 24 LTS ships these new JS features 🎉
🔶 Atomics.pause
🔶 Error.isError
🔶 Explicit Resource Management (`using`)
🔶 Float16Array
🔶 Intl.DurationFormat
🔶 Promise.try
🔶 RegExp.escape
🔶 RegExp Modifiers
🔶 RegExp Duplicate Named Capture Groups
Node.js 24 is here and it's looking good 😎🚀
Featuring updates to V8 v13.6, npm v11, improved Permission Model and more new features in the blog.
Check it out and let us know what you think: hubs.ly/Q03lfLDC0
Featuring updates to V8 v13.6, npm v11, improved Permission Model and more new features in the blog.
Check it out and let us know what you think: hubs.ly/Q03lfLDC0
Node.js — Node v24.0.0 (Current)
Node.js® is a JavaScript runtime built on Chrome's V8 JavaScript engine.
hubs.ly
May 7, 2025 at 10:32 AM
ECMAScript excitement 😉
Node.js 24 LTS ships these new JS features 🎉
🔶 Atomics.pause
🔶 Error.isError
🔶 Explicit Resource Management (`using`)
🔶 Float16Array
🔶 Intl.DurationFormat
🔶 Promise.try
🔶 RegExp.escape
🔶 RegExp Modifiers
🔶 RegExp Duplicate Named Capture Groups
Node.js 24 LTS ships these new JS features 🎉
🔶 Atomics.pause
🔶 Error.isError
🔶 Explicit Resource Management (`using`)
🔶 Float16Array
🔶 Intl.DurationFormat
🔶 Promise.try
🔶 RegExp.escape
🔶 RegExp Modifiers
🔶 RegExp Duplicate Named Capture Groups
Reposted by John-David Dalton
✂️ Knip v5.54.0 is out
→ Use `--fix --format` to format modified files, using Formatly and your project's formatter + config ✨
→ Support aliases from plugins, added for Vite, Vitest & webpack (`resolve.alias`)
→ Simplified plugin development (removed `resolveEntryPaths`, use only `resolveConfig`)
→ Use `--fix --format` to format modified files, using Formatly and your project's formatter + config ✨
→ Support aliases from plugins, added for Vite, Vitest & webpack (`resolve.alias`)
→ Simplified plugin development (removed `resolveEntryPaths`, use only `resolveConfig`)
May 6, 2025 at 7:05 AM
✂️ Knip v5.54.0 is out
→ Use `--fix --format` to format modified files, using Formatly and your project's formatter + config ✨
→ Support aliases from plugins, added for Vite, Vitest & webpack (`resolve.alias`)
→ Simplified plugin development (removed `resolveEntryPaths`, use only `resolveConfig`)
→ Use `--fix --format` to format modified files, using Formatly and your project's formatter + config ✨
→ Support aliases from plugins, added for Vite, Vitest & webpack (`resolve.alias`)
→ Simplified plugin development (removed `resolveEntryPaths`, use only `resolveConfig`)
Reposted by John-David Dalton
Node.js 24 is here and it's looking good 😎🚀
Featuring updates to V8 v13.6, npm v11, improved Permission Model and more new features in the blog.
Check it out and let us know what you think: hubs.ly/Q03lfLDC0
Featuring updates to V8 v13.6, npm v11, improved Permission Model and more new features in the blog.
Check it out and let us know what you think: hubs.ly/Q03lfLDC0
Node.js — Node v24.0.0 (Current)
Node.js® is a JavaScript runtime built on Chrome's V8 JavaScript engine.
hubs.ly
May 6, 2025 at 3:26 PM
Node.js 24 is here and it's looking good 😎🚀
Featuring updates to V8 v13.6, npm v11, improved Permission Model and more new features in the blog.
Check it out and let us know what you think: hubs.ly/Q03lfLDC0
Featuring updates to V8 v13.6, npm v11, improved Permission Model and more new features in the blog.
Check it out and let us know what you think: hubs.ly/Q03lfLDC0
Super excited to share what I've been working on lately. Socket can now automagically fix security alerts with an autopilot mode ⚡🪄📦
🔥 Launch Day 5: We’re so excited to launch socket fix — a CLI tool that automatically upgrades vulnerable dependencies, runs your tests, and even auto-merges safe updates in CI. From alert to merged fix. Zero friction.
April 25, 2025 at 2:46 PM
Super excited to share what I've been working on lately. Socket can now automagically fix security alerts with an autopilot mode ⚡🪄📦
Reposted by John-David Dalton
🔥 Launch Day 5: We’re so excited to launch socket fix — a CLI tool that automatically upgrades vulnerable dependencies, runs your tests, and even auto-merges safe updates in CI. From alert to merged fix. Zero friction.
April 25, 2025 at 2:30 PM
🔥 Launch Day 5: We’re so excited to launch socket fix — a CLI tool that automatically upgrades vulnerable dependencies, runs your tests, and even auto-merges safe updates in CI. From alert to merged fix. Zero friction.
Reposted by John-David Dalton
🚀 Big news! Socket is acquiring Coana, bringing best-in-class reachability analysis to modern SCA! Coana's technology reduces false positives by up to 80%, letting teams focus on vulnerabilities that actually matter. #AppSec 1/4
Socket Acquires Coana to Bring Reachability Analysis to Ever...
Socket is bringing best-in-class reachability analysis into the platform — cutting false positives, accelerating triage, and cementing our place as th...
socket.dev
April 23, 2025 at 1:22 PM
🚀 Big news! Socket is acquiring Coana, bringing best-in-class reachability analysis to modern SCA! Coana's technology reduces false positives by up to 80%, letting teams focus on vulnerabilities that actually matter. #AppSec 1/4
We got it working 💪
Spelunking the npm blessed package with @jddalton.bsky.social trying to get it to work with node's --disable-proto flag and rollup.
This package hasn't seen an update in 10 years. It doesn't know about modern JS, ESM, or anything else.
And it has millions of downloads weekly 🙈
This package hasn't seen an update in 10 years. It doesn't know about modern JS, ESM, or anything else.
And it has millions of downloads weekly 🙈
April 4, 2025 at 7:41 PM
We got it working 💪