banner
LightNews
notwes.bsky.social
Wes
@notwes.bsky.social
2.6K followers 630 following 4.9K posts
ATX - he/him - 🥂Humans are more important than code - I work at an entertainment company and volunteer my time making art on github https://github.com/wesleytodd
github.com
Posts Media Videos Starter Packs
notwes.bsky.social
Wes @notwes.bsky.social · 1d
Cloudy morning but I can’t complain about the room view, that’s for sure.
The bay, pool and some boat docks
6
notwes.bsky.social
Wes @notwes.bsky.social · 1d
To give some credit (I don’t mean to be so harsh) it is a series of *really deep* paper cuts. But the real ailment is internal bleeding, and neither bandaids (the right paper cut treatment) not the cast fix the problem.

We need forced 2FA supported from CI.
1 3
notwes.bsky.social
Wes @notwes.bsky.social · 1d
And my well timed talk on the topic at @jsconf.bsky.social this week: events.linuxfoundation.org/jsconf-north...
Schedule | LF Events
View the JSConf2025 schedule & directory.
events.linuxfoundation.org
1
notwes.bsky.social
Wes @notwes.bsky.social · 1d
If only these changes did anything meaningful that would help a lot. Instead it’s like a full body cast applied to a paper cut.

The link being referenced: github.blog/changelog/20...
Strengthening npm security: Important changes to authentication and token management - GitHub Changelog
As part of our ongoing commitment to securing the npm ecosystem, we’re implementing the first phase of security improvements outlined in our recent announcement. These changes will roll out over…
github.blog
3 2
notwes.bsky.social
Wes @notwes.bsky.social · 1d
Wow I even just got to (gently hopefully) correct the legend himself @paul.irish on Reddit about it lol.

We really need @npmjs.bsky.social and @github.com to provide more clarity to help folks understand.
1 2
notwes.bsky.social
Wes @notwes.bsky.social · 1d
Well guess all the announcements from GitHub are well timed for my talk on Thursday.
1 5
notwes.bsky.social
Wes @notwes.bsky.social · 1d
I was just too tired and got in too late to start yesterday.
1
Reposted by Wes
darcyclarke.me
Darcy Clarke @darcyclarke.me · 2d
👋🏻 If you're at @jsconf.bsky.social NA this week, come say hi to our team @vlt.sh ⚡📦 @ruyadorno.com, @lukekarrys.com & our Design Engineer (Jason Korol) will be there for both the conf & Node.js Collab Summit 🚀🐢
4 12
notwes.bsky.social
Wes @notwes.bsky.social · 1d
Oh I just found the conf account @jsconf.bsky.social
1
Reposted by Wes
ruyadorno.com
Ruy Adorno @ruyadorno.com · 2d
⚡️ All set up for #JSConf !

Stop by to talk with the @vlt.sh team if you’re around!
1 6 20
notwes.bsky.social
Wes @notwes.bsky.social · 1d
JS Conf tomorrow!
2 1 8
notwes.bsky.social
Wes @notwes.bsky.social · 5d
At work we have like 40 orgs, I was clicking through each one of them and none had it. We think maybe it is one of the other users on the package who may own that org. But we cannot know without reaching out to all of them.
1 3
notwes.bsky.social
Wes @notwes.bsky.social · 5d
Another one I found this week is that if a package is owned by an org, and a developer is given access via a team in that org, you cannot figure out which org is the one granting it.
1 2
notwes.bsky.social
Wes @notwes.bsky.social · 5d
Similar story with packages that "don't require 2fa". If your user has "require 2fa for write" you still get a 2fa workflow publishing that package. This one, for example, is not a bad thing but it is for sure a "wat is happening" moment lol.
1 2
notwes.bsky.social
Wes @notwes.bsky.social · 5d
Just now I joined an org and it asked me to agree to always have 2fa. Except the org is not setup to require 2fa. So when my non-2fa alt account joined it didn't have to agree to that.
1 2
notwes.bsky.social
Wes @notwes.bsky.social · 5d
It has been really *fun* (as in not fun at all) to be prepping for this npm publishing session/talk. So many wat moments in the website UI.
2 7
notwes.bsky.social
Wes @notwes.bsky.social · 7d
Ha, I doubt that’s what any of the npm folks would say I have done.
1
notwes.bsky.social
Wes @notwes.bsky.social · 8d
It is entirely reasonable to take this direction, but unfortunately it is clearly out of the realm of possibility with the current investment from GH/Msft. And frankly, we are all better off looking toward vendors like @socket.dev than trying to get npm to directly built out detection.
1 5
notwes.bsky.social
Wes @notwes.bsky.social · 11d
Well, I did the free trial. And TIL that Apple never figure out that "natural scrolling" on a trackpad is *ENTIRELY* different from it on a mouse. This is neigh on unusable.
1
notwes.bsky.social
Wes @notwes.bsky.social · 11d
FWIW, this is more nuanced in many use cases. We bundle cli’s for workflow tooling we use in CI to improve execution times (no full install) for example. I will back you up any time blaming TS people for bringing many problems on themselves, but it needs nuance.
1
notwes.bsky.social
Wes @notwes.bsky.social · 11d
Yeah the reason we don’t is because our e2e tests run on real infra and real projects. So that requires publishing. This is why I want platform features to support these workflows.
1 1
notwes.bsky.social
Wes @notwes.bsky.social · 11d
At work we have a pretty great set of integration test flows we use where we publish and use prereleases for this. All that said, avoiding that complexity is always preferable when possible.
1 1
notwes.bsky.social
Wes @notwes.bsky.social · 11d
There are a ton of good ways to do this, what I posted is more of a “make it part of the platform” instead of everyone having these unique solutions on their own.
1 1
notwes.bsky.social
Wes @notwes.bsky.social · 11d
lol, probably the first time I said it was in some stage of frustration induced burnout. Some combination of deadpan and acceptance. 🤣
3
notwes.bsky.social
Wes @notwes.bsky.social · 11d
I *tried to find a way to kill it instead*. Fixing it was a last resort when that fails.
3