Wes
@notwes.bsky.social
ATX - he/him - 🥂Humans are more important than code - I work at an entertainment company and volunteer my time making art on github
https://github.com/wesleytodd
https://github.com/wesleytodd
Reposted by Wes
Additionally, releasing on Tuesday rather than Friday helps ensure that security updates are available during regular business hours across all time zones, particularly for our users in the Asia-Pacific region.
nodejs.org/en/blog/vuln...
nodejs.org/en/blog/vuln...
Node.js — Thursday, January 8, 2026 Security Releases
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
January 8, 2026 at 9:50 PM
Additionally, releasing on Tuesday rather than Friday helps ensure that security updates are available during regular business hours across all time zones, particularly for our users in the Asia-Pacific region.
nodejs.org/en/blog/vuln...
nodejs.org/en/blog/vuln...
Reposted by Wes
🚨Our team has decided to postpone the release to Tuesday, January 13th, 2026. This additional time will allow us to properly test all backports and re-run CITGM to ensure the highest quality for our users.
Node.js — Thursday, January 8, 2026 Security Releases
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
January 8, 2026 at 9:50 PM
🚨Our team has decided to postpone the release to Tuesday, January 13th, 2026. This additional time will allow us to properly test all backports and re-run CITGM to ensure the highest quality for our users.
Reposted by Wes
We've heard people like Starter Packs, so we just begun putting one together for open source organizations. It could be an OSPO like us, a Foundation that supports projects and the ecosystem or accounts for OSS events.
Take a look and tell us who else should be there.
go.bsky.app/Te7sTt9
Take a look and tell us who else should be there.
go.bsky.app/Te7sTt9
Open Source Organizations
Join the conversation
go.bsky.app
January 8, 2026 at 4:00 PM
We've heard people like Starter Packs, so we just begun putting one together for open source organizations. It could be an OSPO like us, a Foundation that supports projects and the ecosystem or accounts for OSS events.
Take a look and tell us who else should be there.
go.bsky.app/Te7sTt9
Take a look and tell us who else should be there.
go.bsky.app/Te7sTt9
Reposted by Wes
Like the rest of the internet, Sentry runs on Open Source. Like the rest of the @opensourcepledge.com companies, we also believe in paying it back.
In 2025, we gave out $750k to the OSS projects we rely on; here’s a sampling of some of them, and why they are so crucial 🧵
In 2025, we gave out $750k to the OSS projects we rely on; here’s a sampling of some of them, and why they are so crucial 🧵
January 6, 2026 at 5:59 PM
Like the rest of the internet, Sentry runs on Open Source. Like the rest of the @opensourcepledge.com companies, we also believe in paying it back.
In 2025, we gave out $750k to the OSS projects we rely on; here’s a sampling of some of them, and why they are so crucial 🧵
In 2025, we gave out $750k to the OSS projects we rely on; here’s a sampling of some of them, and why they are so crucial 🧵
Reposted by Wes
Haha thanks!
You & @chadwhitacre.com & @sentry.io putting so much time & effort & money into @opensourcepledge.com & sponsorships was a big reason why I joined Sentry. It speaks positively and strongly about the company culture and motivations and people!
You & @chadwhitacre.com & @sentry.io putting so much time & effort & money into @opensourcepledge.com & sponsorships was a big reason why I joined Sentry. It speaks positively and strongly about the company culture and motivations and people!
January 5, 2026 at 8:04 PM
Haha thanks!
You & @chadwhitacre.com & @sentry.io putting so much time & effort & money into @opensourcepledge.com & sponsorships was a big reason why I joined Sentry. It speaks positively and strongly about the company culture and motivations and people!
You & @chadwhitacre.com & @sentry.io putting so much time & effort & money into @opensourcepledge.com & sponsorships was a big reason why I joined Sentry. It speaks positively and strongly about the company culture and motivations and people!
Reposted by Wes
It's a new year 🎉 Are you currently hiring for a role that includes using Node.js? Reply with a link to the opening and any relevant context.
If you're not, we'd appreciate a repost for visibility 💚
If you're not, we'd appreciate a repost for visibility 💚
January 6, 2026 at 6:13 PM
It's a new year 🎉 Are you currently hiring for a role that includes using Node.js? Reply with a link to the opening and any relevant context.
If you're not, we'd appreciate a repost for visibility 💚
If you're not, we'd appreciate a repost for visibility 💚
Reposted by Wes
TIL that modern Node not only supports `--env-file` / `--env-file-if-exists` but also a new method to programmatically load .env files.
It's been marked stable since Node v24 (current LTS), and I'm now on the journey of removing all the `dotenv` dependencies. 😅
www.stefanjudis.com/today-i-lear...
It's been marked stable since Node v24 (current LTS), and I'm now on the journey of removing all the `dotenv` dependencies. 😅
www.stefanjudis.com/today-i-lear...
January 6, 2026 at 3:19 PM
TIL that modern Node not only supports `--env-file` / `--env-file-if-exists` but also a new method to programmatically load .env files.
It's been marked stable since Node v24 (current LTS), and I'm now on the journey of removing all the `dotenv` dependencies. 😅
www.stefanjudis.com/today-i-lear...
It's been marked stable since Node v24 (current LTS), and I'm now on the journey of removing all the `dotenv` dependencies. 😅
www.stefanjudis.com/today-i-lear...
Reposted by Wes
And yet it’s one of the most insightful and powerful statements one can make. Realizing and admitting that one simply don’t know the answer.
If only more people were capable of realizing and strong enough to admit it.
Would solve a lot of things in this world.
If only more people were capable of realizing and strong enough to admit it.
Would solve a lot of things in this world.
January 5, 2026 at 6:21 PM
And yet it’s one of the most insightful and powerful statements one can make. Realizing and admitting that one simply don’t know the answer.
If only more people were capable of realizing and strong enough to admit it.
Would solve a lot of things in this world.
If only more people were capable of realizing and strong enough to admit it.
Would solve a lot of things in this world.
Look, I won't judge what folks were doing 11 years ago but if you do anything like this in your packages in the year 2026 please reconsider: socket.dev/npm/package/...
socket.dev
January 5, 2026 at 8:20 PM
Look, I won't judge what folks were doing 11 years ago but if you do anything like this in your packages in the year 2026 please reconsider: socket.dev/npm/package/...
Honestly, this screenshot from slack right here fully captures my essence day. 8 years and I still just don't know.
January 5, 2026 at 5:27 PM
Honestly, this screenshot from slack right here fully captures my essence day. 8 years and I still just don't know.
Reposted by Wes
I made something new: an eslint plugin to validate your npm ecosystem lockfiles! It supports npm, pnpm, yarn, bun, and vlt, and it's already helped find a supply chain security attack vector inside a fortune 500 tech company. www.npmjs.com/package/esli...
www.npmjs.com
December 22, 2025 at 7:16 AM
I made something new: an eslint plugin to validate your npm ecosystem lockfiles! It supports npm, pnpm, yarn, bun, and vlt, and it's already helped find a supply chain security attack vector inside a fortune 500 tech company. www.npmjs.com/package/esli...
Can we just all agree to extend the holiday break a bit longer? Maybe into March?
January 5, 2026 at 4:11 PM
Can we just all agree to extend the holiday break a bit longer? Maybe into March?
Reposted by Wes
Oh hi. 👋 We're back with the latest Security Snapshot that covers how to publish to npm safely and with ease. ✨
@rafaelgss.dev breaks down why local publishing with 2FA gives you the safest setup right now.
@rafaelgss.dev breaks down why local publishing with 2FA gives you the safest setup right now.
January 5, 2026 at 4:04 PM
Oh hi. 👋 We're back with the latest Security Snapshot that covers how to publish to npm safely and with ease. ✨
@rafaelgss.dev breaks down why local publishing with 2FA gives you the safest setup right now.
@rafaelgss.dev breaks down why local publishing with 2FA gives you the safest setup right now.
I have someone in my email from GitNation asking about a tech speaking thing. I have never heard of them, but their website has names of people I know. Is this legitimate or spam?
December 17, 2025 at 4:55 PM
I have someone in my email from GitNation asking about a tech speaking thing. I have never heard of them, but their website has names of people I know. Is this legitimate or spam?
Reposted by Wes
It's not only NPM.
🚨 New threat research: An impostor #NuGet package typosquatted a popular .NET tracing library and its author, using homoglyph tricks to blend in, then exfiltrated #Stratis wallet JSON and passwords to a Russian IP address.
Full report →
socket.dev/blog/malicio... #dotnet
Full report →
socket.dev/blog/malicio... #dotnet
Malicious NuGet Package Typosquats Popular .NET Tracing Libr...
Impostor NuGet package Tracer.Fody.NLog typosquats Tracer.Fody and its author, using homoglyph tricks, and exfiltrates Stratis wallet JSON/passwords t...
socket.dev
December 15, 2025 at 10:26 PM
It's not only NPM.
I have been looking at this like it will be the js log4j. Now with lots of eyes might come a string of other issues.
December 11, 2025 at 10:09 PM
Reposted by Wes
ESLint lost 1/3 of its sponsorships in 2025 while downloads are up 62%. If every company where ESLint is used donated just $100/month, we'd have more than enough. Please talk to your manager about sponsoring ESLint:
https://eslint.org/donate
https://eslint.org/donate
December 9, 2025 at 8:20 PM
ESLint lost 1/3 of its sponsorships in 2025 while downloads are up 62%. If every company where ESLint is used donated just $100/month, we'd have more than enough. Please talk to your manager about sponsoring ESLint:
https://eslint.org/donate
https://eslint.org/donate
"I've written and deleted a comment enough times here that I need to move on."
I am fully on board with a message of:
Show me that you looked at the code at all.
github.com/expressjs/ex...
I am fully on board with a message of:
Show me that you looked at the code at all.
github.com/expressjs/ex...
feat: add CORS-aware ETag modes and configurable query parser options by iAn-P1nt0 · Pull Request #6908 · expressjs/express
Overview
This PR introduces two independent enhancements to Express.js that address long-standing issues with CDN caching and query string handling.
Changes Included
1. CORS-Aware ETag Generation (...
github.com
December 10, 2025 at 8:14 PM
"I've written and deleted a comment enough times here that I need to move on."
I am fully on board with a message of:
Show me that you looked at the code at all.
github.com/expressjs/ex...
I am fully on board with a message of:
Show me that you looked at the code at all.
github.com/expressjs/ex...
Reposted by Wes
npm has revoked classic tokens for publishing, pushing maintainers toward OIDC trusted publishing or granular tokens. But @openjsf.org warns trusted publishing still has risky gaps for critical projects. What maintainers should do next:
socket.dev/blog/npm-rev... #NodeJS #JavaScript
socket.dev/blog/npm-rev... #NodeJS #JavaScript
npm Revokes Classic Tokens, as OpenJS Warns Maintainers Abou...
GitHub has revoked npm classic tokens for publishing; maintainers must migrate, but OpenJS warns OIDC trusted publishing still has risky gaps for crit...
socket.dev
December 10, 2025 at 5:45 AM
npm has revoked classic tokens for publishing, pushing maintainers toward OIDC trusted publishing or granular tokens. But @openjsf.org warns trusted publishing still has risky gaps for critical projects. What maintainers should do next:
socket.dev/blog/npm-rev... #NodeJS #JavaScript
socket.dev/blog/npm-rev... #NodeJS #JavaScript
Reposted by Wes
🧨 “Gaps in design and implementation with the new OIDC Trusted Publisher workflows leave maintainers open to novel and increasingly difficult to detect gaps in their publishing setups. We do not recommend critical projects move to this new workflow..." - @notwes.bsky.social
npm has revoked classic tokens for publishing, pushing maintainers toward OIDC trusted publishing or granular tokens. But @openjsf.org warns trusted publishing still has risky gaps for critical projects. What maintainers should do next:
socket.dev/blog/npm-rev... #NodeJS #JavaScript
socket.dev/blog/npm-rev... #NodeJS #JavaScript
npm Revokes Classic Tokens, as OpenJS Warns Maintainers Abou...
GitHub has revoked npm classic tokens for publishing; maintainers must migrate, but OpenJS warns OIDC trusted publishing still has risky gaps for crit...
socket.dev
December 10, 2025 at 6:03 AM
🧨 “Gaps in design and implementation with the new OIDC Trusted Publisher workflows leave maintainers open to novel and increasingly difficult to detect gaps in their publishing setups. We do not recommend critical projects move to this new workflow..." - @notwes.bsky.social
Reposted by Wes
Want to work with me and a number of world-class JS open source developers at @socket.dev protecting ALL open source libraries from supply chain attacks?
We're looking for stellar frontend developers. DM me
We're looking for stellar frontend developers. DM me
December 10, 2025 at 6:12 PM
Want to work with me and a number of world-class JS open source developers at @socket.dev protecting ALL open source libraries from supply chain attacks?
We're looking for stellar frontend developers. DM me
We're looking for stellar frontend developers. DM me
Reposted by Wes
❗️Node.js Security release pre-alert ❗️
We will release new versions of v20, v22, v24, v25 release lines on or shortly after the 15th of December 2025 in order to address:
* 3 high severity issues.
* 1 low severity issue.
* 1 medium severity issue.
nodejs.org/en/blog/vuln...
We will release new versions of v20, v22, v24, v25 release lines on or shortly after the 15th of December 2025 in order to address:
* 3 high severity issues.
* 1 low severity issue.
* 1 medium severity issue.
nodejs.org/en/blog/vuln...
Node.js — Monday, December 15, 2025 Security Releases
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
December 8, 2025 at 5:50 PM
❗️Node.js Security release pre-alert ❗️
We will release new versions of v20, v22, v24, v25 release lines on or shortly after the 15th of December 2025 in order to address:
* 3 high severity issues.
* 1 low severity issue.
* 1 medium severity issue.
nodejs.org/en/blog/vuln...
We will release new versions of v20, v22, v24, v25 release lines on or shortly after the 15th of December 2025 in order to address:
* 3 high severity issues.
* 1 low severity issue.
* 1 medium severity issue.
nodejs.org/en/blog/vuln...
Reposted by Wes
Cloudflare was down for half an hour this morning, and it was caused by work we were doing to try to mitigate the React CVE. (Seriously, people: upgrade Next.js/React Router etc right now)
Dane Knecht 🦭 on X: "We are aware of the issue impacting the availability of Cloudflare’s network. It was not an attack; root cause was disabling some logging to help mitigate this week’s React CVE. Will share full details in a blog post today. Sites should be back online now, but I understand the" / X
We are aware of the issue impacting the availability of Cloudflare’s network. It was not an attack; root cause was disabling some logging to help mitigate this week’s React CVE. Will share full details in a blog post today. Sites should be back online now, but I understand the
x.com
December 5, 2025 at 10:36 AM
Cloudflare was down for half an hour this morning, and it was caused by work we were doing to try to mitigate the React CVE. (Seriously, people: upgrade Next.js/React Router etc right now)
If you haven’t patched any libs you maintain, go do that immediately. This is “as bad as it gets”. We need everything moved past these vulnerable versions because they can *easily* be mistakenly in your apps.
The original React2shell PoC is now public. This is as bad as it gets – full RCE. You must upgrade now. There are mitigations in place in CDNs including Cloudflare, Netlify, Vercel and AWS (and sites on Workers aren't vulnerable to this sort of attack), but there are variants in the wild now.
GitHub - lachlan2k/React2Shell-CVE-2025-55182-original-poc: Original Proof-of-Concept's for React2Shell CVE-2025-55182
Original Proof-of-Concept's for React2Shell CVE-2025-55182 - lachlan2k/React2Shell-CVE-2025-55182-original-poc
github.com
December 5, 2025 at 12:53 PM
If you haven’t patched any libs you maintain, go do that immediately. This is “as bad as it gets”. We need everything moved past these vulnerable versions because they can *easily* be mistakenly in your apps.
Reposted by Wes
The changed code is a small fraction of an open source contribution. Your commitment to understand the issue, how your proposed solution fits with the project, and be ready to own and push the review process forward is the biggest chunk of the work. Your effort is the contribution, not the code.
December 5, 2025 at 9:58 AM
The changed code is a small fraction of an open source contribution. Your commitment to understand the issue, how your proposed solution fits with the project, and be ready to own and push the review process forward is the biggest chunk of the work. Your effort is the contribution, not the code.