Wes
LightNews LightNews
banner
notwes.bsky.social
Wes
@notwes.bsky.social
2.7K followers 640 following 5.1K posts
ATX - he/him - 🥂Humans are more important than code - I work at an entertainment company and volunteer my time making art on github

https://github.com/wesleytodd
Posts Replies Media Videos
notwes.bsky.social
Nothing is ever perfect, but this is pretty good advice.
November 25, 2025 at 1:48 PM
Reposted by Wes
isaacs.bsky.social
Developers, please, enable passkey MFA on your npm account. It's extremely easy, and makes this category of attack impossible. At this point, I feel like it's negligent of GitHub not to require this of all publishers.
November 24, 2025 at 11:10 PM
Reposted by Wes
socket.dev
🤯 The number of affected packages in the Shai-Hulud npm attack has now reached 770. We’re continuing to investigate and will keep the blog post updated:

socket.dev/blog/shai-hu...
socket.dev Socket @socket.dev · 6d
🚨 A new wave of the Shai-Hulud supply chain attack has hit npm, impacting packages across widely used projects from AsyncAPI, ENS, Postman, PostHog, and Zapier. Attackers added a malicious preinstall script following account compromise. The investigation is ongoing:

socket.dev/blog/shai-hu...
Shai Hulud Strikes Again (v2) - Socket
Another wave of Shai-Hulud campaign hits npm.
socket.dev
November 24, 2025 at 11:19 PM
notwes.bsky.social
Another week, another CI compromise leading to malware. This time it might even delete your home directory if it can't find any secrets to steal.

What was that again about trusted publishing? You need to trust your CI for it's threat model to apply? Guess maybe that's a bad place to put our trust.
November 24, 2025 at 6:06 PM
notwes.bsky.social
Just got three ficking awesome tacos for 14$. I rode my bike here. The place was a food truck I never noticed around the corner for 6 years and just opened a storefront.

Hate on Austin all you want (especially since it’s in Texas) but I still love this place.
November 21, 2025 at 7:03 PM
Reposted by Wes
ruyadorno.com
🚀 Here is @vlt.sh take on running lifecycle scripts on installs, adding another powerful capability to our query language syntax: blog.vlt.sh/blog/vlt-build

#javascript #nodejs #packages
Introducing Phased Package Installations
When you run vlt install, packages are downloaded and extracted to node_modules, but no lifecycle scripts execute.
blog.vlt.sh
November 19, 2025 at 6:38 PM
Reposted by Wes
feross.bsky.social
🚀 Big news for JavaScript teams: Socket now supports Bun and vlt in beta.

You no longer have to choose between innovation and security. Commit a bun.lock or vlt-lock.json and Socket gives you full supply chain protection.
November 19, 2025 at 5:21 PM
Reposted by Wes
socket.dev
Launch Week Day 3: We're announcing beta support for
@bun.sh and @vlt.sh package managers in Socket! 🎉

Developers using emerging JavaScript package managers can now rely on Socket for full supply chain security, dependency graph analysis, and accurate SBOMs.
November 19, 2025 at 5:31 PM
Reposted by Wes
remcohaszing.nl
Reporting spam on @github.com should take less effort than posting spam
November 14, 2025 at 5:39 PM
notwes.bsky.social
After a few months of targeted attacks on our ecosystem, followed by a confusing and rapidly changing response from @github.com, we wanted to put together some guidance for maintainers on how to help us all secure our supply chain together.

Here is that guidance 👇
openjsf.org OpenJS Foundation @openjsf.org · 16d
With npm supply chain attacks on the rise, secure publishing practices are becoming a pressing concern for anyone maintaining npm packages. ⚠️

We've released updated guidance to help maintainers reduce exposure, strengthen release processes, and protect the ecosystem: openjsf.org/blog/publish...
Publishing More Securely on npm: Guidance from the OpenJS Security Collaboration Space | OpenJS Foundation
The OpenJS Security Collaboration Space has been working closely with GitHub’s npm team to understand how new security features affect projects and maintainers, especially as threats and tools keep ev...
openjsf.org
November 14, 2025 at 4:21 PM
Reposted by Wes
ulisesgascon.com
🎉 @bjohansebas.bsky.social is our new Triage Captain for #ExpressJS! Grateful for your dedication, leadership, and continued impact on the community 👏👏👏

github.com/expressjs/di...
fix(docs): Add @bjohansebas as Triage Team captain by wesleytodd · Pull Request #448 · expressjs/discussions
Nominating @bjohansebas as a captain of the Triage Team. We have seen lots of great contributions from @bjohansebas this year and he is interested in helping run this effort. Thanks for the continu...
github.com
November 12, 2025 at 10:05 AM
notwes.bsky.social
Have you even lived if you have never opened a kiln that looks like this? That crushing feeling of loss to really brings perspective to normal levels of sad and how to let it go. 😭

Sorry for your loss Eva.
evafunderburgh.com Eva Funderburgh @evafunderburgh.com · 17d
Guess who has two thumbs, and set their bisque kiln to preheat for 12 minutes instead of 12 hours!
That’s me!!
The inside of a bisque kiln. It’s a devastation of exploded sculptures.
November 13, 2025 at 10:48 PM
Reposted by Wes
openjsf.org
October’s security check‑in is here! 🚨

📌 Highlights: stronger threat modelling, npm Trusted Publishing risks tackled, new runtime features for secure‑by‑default apps.

hubs.la/Q03T5j8j0
OpenJS Security Update: October 2025 | OpenJS Foundation
From new threat modeling practices to ecosystem-wide coordination, npm security discussions, and major Node.js security enhancements, this update recaps the key progress made in October 2025.
hubs.la
November 13, 2025 at 7:18 PM
notwes.bsky.social
Nerds (derogatory) are really out there propping up the entire global market so they can have conversations with computers instead of humans. They are doing billions of dollars worth of work to achieve the goal of living a life mostly bereft of human connection. I am watching it happen live. 😭
November 13, 2025 at 5:59 PM
notwes.bsky.social
I had the pleasure of being on-call for a lot of what Elizabeth talked about on this (love is blind & the Tyson fight). It's fun to hear such a polished, clear, and positive message about the absolute *madness* (aka fun) it was to be involved as an engineer on the ground.
gergely.pragmaticengineer.com Gergely Orosz @gergely.pragmaticengineer.com · 18d
What’s it like to work as a software engineer at Netflix? In this special episode recorded at Netflix’s headquarters in Los Gatos, I sat down with Elizabeth Stone, CTO at the company - in the signature Netflix director chairs (and with a pro Netflix camera crew!)

(cont'd)
November 12, 2025 at 10:39 PM
notwes.bsky.social
Oh cool, thanks Thanks.dev for the support on @github.com.
thanks.dev – open source funding platform
We're passionate about making open source sustainable. Scan your dependancy tree to better understand which open source projects need funding the most. Maintainers can also register their projects to ...
Thanks.dev
November 12, 2025 at 1:29 PM
Reposted by Wes
marcoippolito.dev
Type stripping is now stable.
Enjoy 🌞
November 12, 2025 at 5:07 AM
Reposted by Wes
joyeecheung.bsky.social
Or to find out what is key for the general community, instead of for a specific funding source, there needs to be people proactively trying to find out what general users want, which is also work that doesn’t get done by itself and largely depends on volunteers github.com/nodejs/next-10
GitHub - nodejs/next-10: Repository for discussion on strategic directions for next 10 years of Node.js
Repository for discussion on strategic directions for next 10 years of Node.js - nodejs/next-10
github.com
November 12, 2025 at 12:33 PM
Reposted by Wes
thisismissem.social
Ha, this is pretty much how I work and I didn't realise it was a cultural thing, but that's why you see me popping up everywhere:

(From: protocol.ecologies.info/interviews/n... )
Jay is quite smart. She was effective at going around and figuring out what other people were working on. That is an important lesson I’ve learned from European hackers: First go help other people with their projects. Don’t come in with attitude of “I solved the problem”—no one’s going to listen to you. You have to go around, fix some patches, try other people’s stuff, give other folks attention first if you’re going to expect any attention on your own work.
November 11, 2025 at 6:18 PM
notwes.bsky.social
I am not a supplier.
andrewnez.mastodon.social.ap.brid.gy Andrew Nesbitt @andrewnez.mastodon.social.ap.brid.gy · 18d
I was reading through the two SBOM specifications today (as you do), and noticed that both have fields that impose a "supplier" field on packages.

Couldn't help but think of @https://hachyderm.io/@Di4na's blog post https://www.softwaremaxims.com/blog/not-a-supplier and how it's literally in the […]
Original post on mastodon.social
mastodon.social
November 11, 2025 at 10:10 PM
Reposted by Wes
joyeecheung.bsky.social
Preparing my talk for JSConf JP and I finally drew my mental venn diagram about how Node.js development works 🤪
In reality, being a community-driven project means…  - No roadmaps - No project management - Work doesn’t get done by itself - 1 person saying no != consensus of 100+ collaborators Volunteer work done at contributors’ free time covers a small portion of what the community wants the imaginary “Node.js team” to work on, and an even tinier part is covered by work sponsored by companies & organization.
November 11, 2025 at 7:20 PM
notwes.bsky.social
And if so, what value are you finding in the data available via provenance?
November 11, 2025 at 8:06 PM
Reposted by Wes
openjsf.org
Big thanks to our partners Alpha Omega and @nodesource.bsky.social 💚
November 11, 2025 at 3:28 PM
Reposted by Wes
openjsf.org
Ever wonder why @nodejs.org drops new versions like clockwork? Here’s the scoop. ⏱️

@rafaelgss.dev shares all the details about the Node.js release schedule in our new series, JavaScript Security Snapshot.
November 11, 2025 at 3:28 PM
Reposted by Wes
abr.bsky.social
It's not you, it's slack.
Downdetector graph for slack showing HUGE spike in outage reports
November 10, 2025 at 6:17 PM