Darcy Clarke
@darcyclarke.me
@vlt.sh Founder & Chief End-User Officer
Prev: GitHub, npm & Themify Co-Founder
Prev: GitHub, npm & Themify Co-Founder
Seriously? Y'all had no idea?! HMU if you want to know about the "weaknesses" or "blind spots" with npm/GitHub or your security vendors.
arstechnica.com/security/202...
arstechnica.com/security/202...
NPM flooded with malicious packages downloaded more than 86,000 times
Packages downloaded from NPM can fetch dependancies from untrusted sites.
arstechnica.com
October 30, 2025 at 12:11 AM
Seriously? Y'all had no idea?! HMU if you want to know about the "weaknesses" or "blind spots" with npm/GitHub or your security vendors.
arstechnica.com/security/202...
arstechnica.com/security/202...
Reposted by Darcy Clarke
Hello Internet @darcyclarke.me @wesbos.com
October 28, 2025 at 12:45 AM
Hello Internet @darcyclarke.me @wesbos.com
Reposted by Darcy Clarke
If you think npm's architecture is good, go watch @darcyclarke.me's talk. The dependency graph is complex and @vlt.sh is reinventing it in a smart and unique way. www.youtube.com/watch?v=o8nG...
The Registry is Dead, Long Live the Registry! - Darcy Clarke, vlt
YouTube video by OpenJS Foundation
www.youtube.com
October 22, 2025 at 10:01 PM
If you think npm's architecture is good, go watch @darcyclarke.me's talk. The dependency graph is complex and @vlt.sh is reinventing it in a smart and unique way. www.youtube.com/watch?v=o8nG...
Reposted by Darcy Clarke
Fantastic talk by @joyeecheung.bsky.social, a must watch to package authors that want to stay up-to-date on how to ship packages in this post require(esm) era: youtu.be/I0jvOJW7NaI #nodejs
Nordic.js 2025 • Joyee Cheung - Shipping Node.js packages in 2025
YouTube video by Nordic.js
youtu.be
October 21, 2025 at 2:24 AM
Fantastic talk by @joyeecheung.bsky.social, a must watch to package authors that want to stay up-to-date on how to ship packages in this post require(esm) era: youtu.be/I0jvOJW7NaI #nodejs
Reposted by Darcy Clarke
Huge thanks to the @vlt.sh team for building something new and refreshing in the world of package managers and taunting me with LEGO to try it out.
Join me and check them out: www.vlt.sh
Join me and check them out: www.vlt.sh
October 16, 2025 at 8:20 PM
Huge thanks to the @vlt.sh team for building something new and refreshing in the world of package managers and taunting me with LEGO to try it out.
Join me and check them out: www.vlt.sh
Join me and check them out: www.vlt.sh
👋🏻 If you're at @jsconf.bsky.social NA this week, come say hi to our team @vlt.sh ⚡📦 @ruyadorno.com, @lukekarrys.com & our Design Engineer (Jason Korol) will be there for both the conf & Node.js Collab Summit 🚀🐢
October 13, 2025 at 12:06 PM
👋🏻 If you're at @jsconf.bsky.social NA this week, come say hi to our team @vlt.sh ⚡📦 @ruyadorno.com, @lukekarrys.com & our Design Engineer (Jason Korol) will be there for both the conf & Node.js Collab Summit 🚀🐢
Why are @github.com tokens allowed to have no expiry but @npmjs.bsky.social are about to make every IT team's lives a living hell? This is just more security theatre. Think harder @microsoft.com.
October 10, 2025 at 8:29 PM
Why are @github.com tokens allowed to have no expiry but @npmjs.bsky.social are about to make every IT team's lives a living hell? This is just more security theatre. Think harder @microsoft.com.
Reposted by Darcy Clarke
A year ago, @sentry.io launched the Open Source Pledge, with one singular goal: get maintainers paid.
A key pillar of the Pledge is it’s not a “pledge”, like an IOU. Rather, to join the Pledge, members come with receipts. Here’s why.
🧵
A key pillar of the Pledge is it’s not a “pledge”, like an IOU. Rather, to join the Pledge, members come with receipts. Here’s why.
🧵
October 8, 2025 at 4:06 PM
A year ago, @sentry.io launched the Open Source Pledge, with one singular goal: get maintainers paid.
A key pillar of the Pledge is it’s not a “pledge”, like an IOU. Rather, to join the Pledge, members come with receipts. Here’s why.
🧵
A key pillar of the Pledge is it’s not a “pledge”, like an IOU. Rather, to join the Pledge, members come with receipts. Here’s why.
🧵
Expecting "free speech" on private platforms where you don't control the means of distribution is the definition of insane. This goes for the "left" & the "right". There'll always be limits to your "rights" when dependent on others. The limit is what's palatable to those that fund the platform.
October 7, 2025 at 5:43 PM
Expecting "free speech" on private platforms where you don't control the means of distribution is the definition of insane. This goes for the "left" & the "right". There'll always be limits to your "rights" when dependent on others. The limit is what's palatable to those that fund the platform.
Reposted by Darcy Clarke
To honor a great friend and open-source pioneer Mikeal Rogers we're organizing a "conf" and charity auction.
I'll be auctioning an exclusive wagyu BBQ at my house for up to 15.
Join us and ideally offer more donations!
All proceeds go to his wife and 2 kids an-event-mikeal-would-have-liked.com
I'll be auctioning an exclusive wagyu BBQ at my house for up to 15.
Join us and ideally offer more donations!
All proceeds go to his wife and 2 kids an-event-mikeal-would-have-liked.com
An Event Mikeal Would Have Liked
Memorial charity event celebrating Mikeal Rogers' life - November 12, 2025
an-event-mikeal-would-have-liked.com
October 6, 2025 at 9:01 PM
To honor a great friend and open-source pioneer Mikeal Rogers we're organizing a "conf" and charity auction.
I'll be auctioning an exclusive wagyu BBQ at my house for up to 15.
Join us and ideally offer more donations!
All proceeds go to his wife and 2 kids an-event-mikeal-would-have-liked.com
I'll be auctioning an exclusive wagyu BBQ at my house for up to 15.
Join us and ideally offer more donations!
All proceeds go to his wife and 2 kids an-event-mikeal-would-have-liked.com
Reposted by Darcy Clarke
Just tested and it works with varlock.dev!
September 30, 2025 at 5:34 PM
Just tested and it works with varlock.dev!
Reposted by Darcy Clarke
please do fill this out! it's one of the good surveys and I always find taking it to be informative and fun. ✨
... and, if you're not always represented in surveys like this, it would be particularly good to hear your voice 🙏
... and, if you're not always represented in surveys like this, it would be particularly good to hear your voice 🙏
State of JS 2025
Christmas is only 3 months away, which means it is also time to take the State of JavaScript survey (again).
The more devs participate, the clearer the big picture will be in the end 🙌
Plus, you learn about features, libs, and frameworks you haven't heard before (or forgot about).
Christmas is only 3 months away, which means it is also time to take the State of JavaScript survey (again).
The more devs participate, the clearer the big picture will be in the end 🙌
Plus, you learn about features, libs, and frameworks you haven't heard before (or forgot about).
State of JavaScript 2025
Take the State of JavaScript survey
survey.devographics.com
September 29, 2025 at 3:57 PM
please do fill this out! it's one of the good surveys and I always find taking it to be informative and fun. ✨
... and, if you're not always represented in surveys like this, it would be particularly good to hear your voice 🙏
... and, if you're not always represented in surveys like this, it would be particularly good to hear your voice 🙏
Reposted by Darcy Clarke
A heads up to anyone attending the upcoming JSConf in October and locals to the Maryland state area. We're hosting the Node.js Collab Summit next October 17 and registration is now open for in-person participation: github.com/openjs-found...
September 24, 2025 at 3:18 PM
A heads up to anyone attending the upcoming JSConf in October and locals to the Maryland state area. We're hosting the Node.js Collab Summit next October 17 and registration is now open for in-person participation: github.com/openjs-found...
Reposted by Darcy Clarke
September 19, 2025 at 7:51 AM
Reposted by Darcy Clarke
Seeing the recent supply-chain attacks made me prioritize this item from our backlog as I wanted a quick way to know if any of my local projects have been affected.
Meet the new vlt client `:host()` Query selector:
blog.vlt.sh/blog/host-co...
#javascript #nodejs #packages
Meet the new vlt client `:host()` Query selector:
blog.vlt.sh/blog/host-co...
#javascript #nodejs #packages
Query Across Projects with the host selector
The host selector is a pseudo-selector that switches your current graph context to load dependencies from different project sources
blog.vlt.sh
September 18, 2025 at 7:39 PM
Seeing the recent supply-chain attacks made me prioritize this item from our backlog as I wanted a quick way to know if any of my local projects have been affected.
Meet the new vlt client `:host()` Query selector:
blog.vlt.sh/blog/host-co...
#javascript #nodejs #packages
Meet the new vlt client `:host()` Query selector:
blog.vlt.sh/blog/host-co...
#javascript #nodejs #packages
Reposted by Darcy Clarke
🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Ongoing Supply Chain Attack Targets CrowdStrike npm Packages...
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that previously hit Tinycolor and dozen...
socket.dev
September 16, 2025 at 6:15 PM
🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
ℹ️ Don't know who needs to hear this but npm has had a --before= flag since v6.9.0 (02/2019): github.com/npm/cli/blob/v…
Setting a relative date is easy w/:
$ npm install --before="$(date -v -7d)"
# & only get registry deps that are over a week olddocs.npmjs.com/cli/v11/usin...re
Setting a relative date is easy w/:
$ npm install --before="$(date -v -7d)"
# & only get registry deps that are over a week olddocs.npmjs.com/cli/v11/usin...re
https://github.com/npm/cli/blob/v…
September 16, 2025 at 2:10 PM
ℹ️ Don't know who needs to hear this but npm has had a --before= flag since v6.9.0 (02/2019): github.com/npm/cli/blob/v…
Setting a relative date is easy w/:
$ npm install --before="$(date -v -7d)"
# & only get registry deps that are over a week olddocs.npmjs.com/cli/v11/usin...re
Setting a relative date is easy w/:
$ npm install --before="$(date -v -7d)"
# & only get registry deps that are over a week olddocs.npmjs.com/cli/v11/usin...re
Reposted by Darcy Clarke
These attacks used to be more rare, but now we're seeing popular packages getting compromised every week. Check your dependencies.
cc: @campuscodi.risky.biz
cc: @campuscodi.risky.biz
🚨 Malicious update to @ctrl/tinycolor on npm is part of an active supply chain attack hitting 40+ packages across multiple maintainers. Audit & remove affected versions.
Our analysis of the malware: socket.dev/blog/tinycol... #NodeJS #JavaScript
Our analysis of the malware: socket.dev/blog/tinycol... #NodeJS #JavaScript
Popular Tinycolor npm Package Compromised in Supply Chain At...
Malicious update to @ctrl/tinycolor on npm is part of a supply-chain attack hitting 40+ packages across maintainers
socket.dev
September 16, 2025 at 12:08 AM
These attacks used to be more rare, but now we're seeing popular packages getting compromised every week. Check your dependencies.
cc: @campuscodi.risky.biz
cc: @campuscodi.risky.biz
Good credentials != Good code...
September 16, 2025 at 2:25 AM
Good credentials != Good code...
Reposted by Darcy Clarke
Do not update to @ctrl/tinycolor@4.1.2. It has malware that is currently live on npm.
September 15, 2025 at 10:15 PM
Do not update to @ctrl/tinycolor@4.1.2. It has malware that is currently live on npm.
Reposted by Darcy Clarke
Honestly serious: JUST DON'T UPDATE PACKAGES RIGHT NOW.
It is unclear to me yet, but this is looking pretty wide spread. Better be safe than sorry, just go touch some grass.
It is unclear to me yet, but this is looking pretty wide spread. Better be safe than sorry, just go touch some grass.
Do not update to @ctrl/tinycolor@4.1.2. It has malware that is currently live on npm.
September 15, 2025 at 10:29 PM
Honestly serious: JUST DON'T UPDATE PACKAGES RIGHT NOW.
It is unclear to me yet, but this is looking pretty wide spread. Better be safe than sorry, just go touch some grass.
It is unclear to me yet, but this is looking pretty wide spread. Better be safe than sorry, just go touch some grass.
Reposted by Darcy Clarke
Typical day in life of a web dev
September 12, 2025 at 2:30 AM
Typical day in life of a web dev
⚡ Point. Click. Discover.
🚀 We're excited to unveil a new Query Builder to @vlt.sh's UI. It's now dead simple to visually navigate complex dependency graph filters without typing a thing. No need to memorize our selector syntax (if you don't want to).
🚀 We're excited to unveil a new Query Builder to @vlt.sh's UI. It's now dead simple to visually navigate complex dependency graph filters without typing a thing. No need to memorize our selector syntax (if you don't want to).
September 4, 2025 at 3:28 PM
⚡ Point. Click. Discover.
🚀 We're excited to unveil a new Query Builder to @vlt.sh's UI. It's now dead simple to visually navigate complex dependency graph filters without typing a thing. No need to memorize our selector syntax (if you don't want to).
🚀 We're excited to unveil a new Query Builder to @vlt.sh's UI. It's now dead simple to visually navigate complex dependency graph filters without typing a thing. No need to memorize our selector syntax (if you don't want to).
🔥 Just your yearly reminder that the JS ecosystem could be much worse off... stuck in the *first level* of "Dependency Hell" like many other ecosystems with minimal options/diversity... lucky for us, we get to face much hotter problems 😉
September 4, 2025 at 3:21 AM
🔥 Just your yearly reminder that the JS ecosystem could be much worse off... stuck in the *first level* of "Dependency Hell" like many other ecosystems with minimal options/diversity... lucky for us, we get to face much hotter problems 😉
🚨 If you think you might be effected by the nx compromise please revoke the GitHub CLI Authorized OAuth App: github.com/settings/con...
Notably, this is the only way to revoke/rotate the tokens made by/known to that app. The next time you `gh login` you can reauth.
Notably, this is the only way to revoke/rotate the tokens made by/known to that app. The next time you `gh login` you can reauth.
Build software better, together
GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.
github.com
August 28, 2025 at 8:52 PM
🚨 If you think you might be effected by the nx compromise please revoke the GitHub CLI Authorized OAuth App: github.com/settings/con...
Notably, this is the only way to revoke/rotate the tokens made by/known to that app. The next time you `gh login` you can reauth.
Notably, this is the only way to revoke/rotate the tokens made by/known to that app. The next time you `gh login` you can reauth.