Wes
@notwes.bsky.social
ATX - he/him - 🥂Humans are more important than code - I work at an entertainment company and volunteer my time making art on github
https://github.com/wesleytodd
https://github.com/wesleytodd
I have someone in my email from GitNation asking about a tech speaking thing. I have never heard of them, but their website has names of people I know. Is this legitimate or spam?
December 17, 2025 at 4:55 PM
I have someone in my email from GitNation asking about a tech speaking thing. I have never heard of them, but their website has names of people I know. Is this legitimate or spam?
Reposted by Wes
It's not only NPM.
🚨 New threat research: An impostor #NuGet package typosquatted a popular .NET tracing library and its author, using homoglyph tricks to blend in, then exfiltrated #Stratis wallet JSON and passwords to a Russian IP address.
Full report →
socket.dev/blog/malicio... #dotnet
Full report →
socket.dev/blog/malicio... #dotnet
Malicious NuGet Package Typosquats Popular .NET Tracing Libr...
Impostor NuGet package Tracer.Fody.NLog typosquats Tracer.Fody and its author, using homoglyph tricks, and exfiltrates Stratis wallet JSON/passwords t...
socket.dev
December 15, 2025 at 10:26 PM
It's not only NPM.
I have been looking at this like it will be the js log4j. Now with lots of eyes might come a string of other issues.
December 11, 2025 at 10:09 PM
Reposted by Wes
ESLint lost 1/3 of its sponsorships in 2025 while downloads are up 62%. If every company where ESLint is used donated just $100/month, we'd have more than enough. Please talk to your manager about sponsoring ESLint:
https://eslint.org/donate
https://eslint.org/donate
December 9, 2025 at 8:20 PM
ESLint lost 1/3 of its sponsorships in 2025 while downloads are up 62%. If every company where ESLint is used donated just $100/month, we'd have more than enough. Please talk to your manager about sponsoring ESLint:
https://eslint.org/donate
https://eslint.org/donate
"I've written and deleted a comment enough times here that I need to move on."
I am fully on board with a message of:
Show me that you looked at the code at all.
github.com/expressjs/ex...
I am fully on board with a message of:
Show me that you looked at the code at all.
github.com/expressjs/ex...
feat: add CORS-aware ETag modes and configurable query parser options by iAn-P1nt0 · Pull Request #6908 · expressjs/express
Overview
This PR introduces two independent enhancements to Express.js that address long-standing issues with CDN caching and query string handling.
Changes Included
1. CORS-Aware ETag Generation (...
github.com
December 10, 2025 at 8:14 PM
"I've written and deleted a comment enough times here that I need to move on."
I am fully on board with a message of:
Show me that you looked at the code at all.
github.com/expressjs/ex...
I am fully on board with a message of:
Show me that you looked at the code at all.
github.com/expressjs/ex...
Reposted by Wes
npm has revoked classic tokens for publishing, pushing maintainers toward OIDC trusted publishing or granular tokens. But @openjsf.org warns trusted publishing still has risky gaps for critical projects. What maintainers should do next:
socket.dev/blog/npm-rev... #NodeJS #JavaScript
socket.dev/blog/npm-rev... #NodeJS #JavaScript
npm Revokes Classic Tokens, as OpenJS Warns Maintainers Abou...
GitHub has revoked npm classic tokens for publishing; maintainers must migrate, but OpenJS warns OIDC trusted publishing still has risky gaps for crit...
socket.dev
December 10, 2025 at 5:45 AM
npm has revoked classic tokens for publishing, pushing maintainers toward OIDC trusted publishing or granular tokens. But @openjsf.org warns trusted publishing still has risky gaps for critical projects. What maintainers should do next:
socket.dev/blog/npm-rev... #NodeJS #JavaScript
socket.dev/blog/npm-rev... #NodeJS #JavaScript
Reposted by Wes
🧨 “Gaps in design and implementation with the new OIDC Trusted Publisher workflows leave maintainers open to novel and increasingly difficult to detect gaps in their publishing setups. We do not recommend critical projects move to this new workflow..." - @notwes.bsky.social
npm has revoked classic tokens for publishing, pushing maintainers toward OIDC trusted publishing or granular tokens. But @openjsf.org warns trusted publishing still has risky gaps for critical projects. What maintainers should do next:
socket.dev/blog/npm-rev... #NodeJS #JavaScript
socket.dev/blog/npm-rev... #NodeJS #JavaScript
npm Revokes Classic Tokens, as OpenJS Warns Maintainers Abou...
GitHub has revoked npm classic tokens for publishing; maintainers must migrate, but OpenJS warns OIDC trusted publishing still has risky gaps for crit...
socket.dev
December 10, 2025 at 6:03 AM
🧨 “Gaps in design and implementation with the new OIDC Trusted Publisher workflows leave maintainers open to novel and increasingly difficult to detect gaps in their publishing setups. We do not recommend critical projects move to this new workflow..." - @notwes.bsky.social
Reposted by Wes
Want to work with me and a number of world-class JS open source developers at @socket.dev protecting ALL open source libraries from supply chain attacks?
We're looking for stellar frontend developers. DM me
We're looking for stellar frontend developers. DM me
December 10, 2025 at 6:12 PM
Want to work with me and a number of world-class JS open source developers at @socket.dev protecting ALL open source libraries from supply chain attacks?
We're looking for stellar frontend developers. DM me
We're looking for stellar frontend developers. DM me
Reposted by Wes
❗️Node.js Security release pre-alert ❗️
We will release new versions of v20, v22, v24, v25 release lines on or shortly after the 15th of December 2025 in order to address:
* 3 high severity issues.
* 1 low severity issue.
* 1 medium severity issue.
nodejs.org/en/blog/vuln...
We will release new versions of v20, v22, v24, v25 release lines on or shortly after the 15th of December 2025 in order to address:
* 3 high severity issues.
* 1 low severity issue.
* 1 medium severity issue.
nodejs.org/en/blog/vuln...
Node.js — Monday, December 15, 2025 Security Releases
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
December 8, 2025 at 5:50 PM
❗️Node.js Security release pre-alert ❗️
We will release new versions of v20, v22, v24, v25 release lines on or shortly after the 15th of December 2025 in order to address:
* 3 high severity issues.
* 1 low severity issue.
* 1 medium severity issue.
nodejs.org/en/blog/vuln...
We will release new versions of v20, v22, v24, v25 release lines on or shortly after the 15th of December 2025 in order to address:
* 3 high severity issues.
* 1 low severity issue.
* 1 medium severity issue.
nodejs.org/en/blog/vuln...
Reposted by Wes
Cloudflare was down for half an hour this morning, and it was caused by work we were doing to try to mitigate the React CVE. (Seriously, people: upgrade Next.js/React Router etc right now)
Dane Knecht 🦭 on X: "We are aware of the issue impacting the availability of Cloudflare’s network. It was not an attack; root cause was disabling some logging to help mitigate this week’s React CVE. Will share full details in a blog post today. Sites should be back online now, but I understand the" / X
We are aware of the issue impacting the availability of Cloudflare’s network. It was not an attack; root cause was disabling some logging to help mitigate this week’s React CVE. Will share full details in a blog post today. Sites should be back online now, but I understand the
x.com
December 5, 2025 at 10:36 AM
Cloudflare was down for half an hour this morning, and it was caused by work we were doing to try to mitigate the React CVE. (Seriously, people: upgrade Next.js/React Router etc right now)
If you haven’t patched any libs you maintain, go do that immediately. This is “as bad as it gets”. We need everything moved past these vulnerable versions because they can *easily* be mistakenly in your apps.
The original React2shell PoC is now public. This is as bad as it gets – full RCE. You must upgrade now. There are mitigations in place in CDNs including Cloudflare, Netlify, Vercel and AWS (and sites on Workers aren't vulnerable to this sort of attack), but there are variants in the wild now.
GitHub - lachlan2k/React2Shell-CVE-2025-55182-original-poc: Original Proof-of-Concept's for React2Shell CVE-2025-55182
Original Proof-of-Concept's for React2Shell CVE-2025-55182 - lachlan2k/React2Shell-CVE-2025-55182-original-poc
github.com
December 5, 2025 at 12:53 PM
If you haven’t patched any libs you maintain, go do that immediately. This is “as bad as it gets”. We need everything moved past these vulnerable versions because they can *easily* be mistakenly in your apps.
Reposted by Wes
The changed code is a small fraction of an open source contribution. Your commitment to understand the issue, how your proposed solution fits with the project, and be ready to own and push the review process forward is the biggest chunk of the work. Your effort is the contribution, not the code.
December 5, 2025 at 9:58 AM
The changed code is a small fraction of an open source contribution. Your commitment to understand the issue, how your proposed solution fits with the project, and be ready to own and push the review process forward is the biggest chunk of the work. Your effort is the contribution, not the code.
Can we just have 1 dull day in JS land?
December 4, 2025 at 6:20 PM
Can we just have 1 dull day in JS land?
Reposted by Wes
I always feel bad for people who spend a ton of time on a pull request that the project doesn’t want. You can avoid wasting a lot of time by first opening an issue describing what you’re thinking of doing to get feedback before you start coding.
December 2, 2025 at 3:54 PM
I always feel bad for people who spend a ton of time on a pull request that the project doesn’t want. You can avoid wasting a lot of time by first opening an issue describing what you’re thinking of doing to get feedback before you start coding.
And as we in JS land have been learning the past 3 months, "devs just need to be careful" in a universe where CI exists is also pretty incredible.
Pretty incredible to say "devs just need to be careful" in a universe where the C language exists.
December 1, 2025 at 8:00 PM
And as we in JS land have been learning the past 3 months, "devs just need to be careful" in a universe where CI exists is also pretty incredible.
Nothing is ever perfect, but this is pretty good advice.
You all should be starring this repo and following up on every npm security best practice: github.com/lirantal/npm...
GitHub - lirantal/npm-security-best-practices: Collection of npm package manager Security Best Practices
Collection of npm package manager Security Best Practices - lirantal/npm-security-best-practices
github.com
November 25, 2025 at 1:48 PM
Nothing is ever perfect, but this is pretty good advice.
Reposted by Wes
Developers, please, enable passkey MFA on your npm account. It's extremely easy, and makes this category of attack impossible. At this point, I feel like it's negligent of GitHub not to require this of all publishers.
no way to prevent this says only package manager where this regularly happens
Shai-Hulud malware infects 500 npm packages, leaks secrets on GitHub
Hundreds of trojanized versions of well-known packages such as Zapier, ENS Domains, PostHog, and Postman have been planted in the npm registry in a new Shai-Hulud supply-chain campaign.
www.bleepingcomputer.com
November 24, 2025 at 11:10 PM
Developers, please, enable passkey MFA on your npm account. It's extremely easy, and makes this category of attack impossible. At this point, I feel like it's negligent of GitHub not to require this of all publishers.
Reposted by Wes
🤯 The number of affected packages in the Shai-Hulud npm attack has now reached 770. We’re continuing to investigate and will keep the blog post updated:
socket.dev/blog/shai-hu...
socket.dev/blog/shai-hu...
🚨 A new wave of the Shai-Hulud supply chain attack has hit npm, impacting packages across widely used projects from AsyncAPI, ENS, Postman, PostHog, and Zapier. Attackers added a malicious preinstall script following account compromise. The investigation is ongoing:
socket.dev/blog/shai-hu...
socket.dev/blog/shai-hu...
Shai Hulud Strikes Again (v2) - Socket
Another wave of Shai-Hulud campaign hits npm.
socket.dev
November 24, 2025 at 11:19 PM
🤯 The number of affected packages in the Shai-Hulud npm attack has now reached 770. We’re continuing to investigate and will keep the blog post updated:
socket.dev/blog/shai-hu...
socket.dev/blog/shai-hu...
Another week, another CI compromise leading to malware. This time it might even delete your home directory if it can't find any secrets to steal.
What was that again about trusted publishing? You need to trust your CI for it's threat model to apply? Guess maybe that's a bad place to put our trust.
What was that again about trusted publishing? You need to trust your CI for it's threat model to apply? Guess maybe that's a bad place to put our trust.
November 24, 2025 at 6:06 PM
Another week, another CI compromise leading to malware. This time it might even delete your home directory if it can't find any secrets to steal.
What was that again about trusted publishing? You need to trust your CI for it's threat model to apply? Guess maybe that's a bad place to put our trust.
What was that again about trusted publishing? You need to trust your CI for it's threat model to apply? Guess maybe that's a bad place to put our trust.
Just got three ficking awesome tacos for 14$. I rode my bike here. The place was a food truck I never noticed around the corner for 6 years and just opened a storefront.
Hate on Austin all you want (especially since it’s in Texas) but I still love this place.
Hate on Austin all you want (especially since it’s in Texas) but I still love this place.
November 21, 2025 at 7:03 PM
Just got three ficking awesome tacos for 14$. I rode my bike here. The place was a food truck I never noticed around the corner for 6 years and just opened a storefront.
Hate on Austin all you want (especially since it’s in Texas) but I still love this place.
Hate on Austin all you want (especially since it’s in Texas) but I still love this place.
Reposted by Wes
🚀 Here is @vlt.sh take on running lifecycle scripts on installs, adding another powerful capability to our query language syntax: blog.vlt.sh/blog/vlt-build
#javascript #nodejs #packages
#javascript #nodejs #packages
Introducing Phased Package Installations
When you run vlt install, packages are downloaded and extracted to node_modules, but no lifecycle scripts execute.
blog.vlt.sh
November 19, 2025 at 6:38 PM
🚀 Here is @vlt.sh take on running lifecycle scripts on installs, adding another powerful capability to our query language syntax: blog.vlt.sh/blog/vlt-build
#javascript #nodejs #packages
#javascript #nodejs #packages
Reposted by Wes
🚀 Big news for JavaScript teams: Socket now supports Bun and vlt in beta.
You no longer have to choose between innovation and security. Commit a bun.lock or vlt-lock.json and Socket gives you full supply chain protection.
You no longer have to choose between innovation and security. Commit a bun.lock or vlt-lock.json and Socket gives you full supply chain protection.
November 19, 2025 at 5:21 PM
🚀 Big news for JavaScript teams: Socket now supports Bun and vlt in beta.
You no longer have to choose between innovation and security. Commit a bun.lock or vlt-lock.json and Socket gives you full supply chain protection.
You no longer have to choose between innovation and security. Commit a bun.lock or vlt-lock.json and Socket gives you full supply chain protection.
Reposted by Wes
Reposted by Wes
Reporting spam on @github.com should take less effort than posting spam
November 14, 2025 at 5:39 PM
Reporting spam on @github.com should take less effort than posting spam
After a few months of targeted attacks on our ecosystem, followed by a confusing and rapidly changing response from @github.com, we wanted to put together some guidance for maintainers on how to help us all secure our supply chain together.
Here is that guidance 👇
Here is that guidance 👇
With npm supply chain attacks on the rise, secure publishing practices are becoming a pressing concern for anyone maintaining npm packages. ⚠️
We've released updated guidance to help maintainers reduce exposure, strengthen release processes, and protect the ecosystem: openjsf.org/blog/publish...
We've released updated guidance to help maintainers reduce exposure, strengthen release processes, and protect the ecosystem: openjsf.org/blog/publish...
Publishing More Securely on npm: Guidance from the OpenJS Security Collaboration Space | OpenJS Foundation
The OpenJS Security Collaboration Space has been working closely with GitHub’s npm team to understand how new security features affect projects and maintainers, especially as threats and tools keep ev...
openjsf.org
November 14, 2025 at 4:21 PM
After a few months of targeted attacks on our ecosystem, followed by a confusing and rapidly changing response from @github.com, we wanted to put together some guidance for maintainers on how to help us all secure our supply chain together.
Here is that guidance 👇
Here is that guidance 👇