Blöd.

»Bekannt sind rund 20 betroffene Pakete aus dem Repertoire des Entwicklers qix, die in Summe mehr als zwei Milliarden mal pro Woche (!) heruntergeladen werden.«

https://www.heise.de/news/Grosser-Angriff-auf-node-js-10637088.html

Einige sehr oft als dependencies genutzte #npm Pakete sind kompromittiert:

https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised

Zeit, die eigenen ".lock" Dateien nach den betroffenen dependencies und von Allem SUB-DEPENDENCIES zu durchsuchen.

Auch sinnvoll:
package.json hat ein property "overrides", mit dem man pakete mit sicherheitslücken ausschließen kann

#packages #dependencies #compromised #Security #malware #node #NodeJS #npm #npmcompromised #yarn #bun

Please forward @uugrn @RaumZeitLabor

As someone who has done a fair amount of code dealing with ECMA-35 and ECMA-48, today I discovered that node has a has-ansi package.

It is on version 6. It is 7 lines long. It requires 2 other packages. And it is marked beta.

There's an entire separate package with a complete infrastructure of its own for a single regular expression.

This degree of incohesion is mad.

@ska @dalias #node #npm #ECMA48

the massive #node / #npm supply chain hack thankfully seems to have once again been aimed solely at stealing #crypto so once again if you don't use crypto you don't have much to worry about.

that said getting your #malware downloaded over a billion times is... impressive.

details: https://jdstaerk.substack.com/p/we-just-found-malicious-code-in-the

NPM supply-chain compromise: over 2B weekly downloads impacted

@aikidosecurity reports that popular #packages maintained by #qix (including #chalk, #debug, #ansistyles, #supportscolor, and others) were compromised.

These packages are deeply embedded in the #Node.js #ecosystem, used by frameworks, build tools, and apps worldwide.

Meh…. supply-chain security isn’t optional.

#sbom ?
-Audit dependencies regularly
-Pin versions where possible
-Monitor advisories and lockfile integrity

Source: https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised

Oh dear, loads of npm compromises again: https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised

Diligent is hiring Software Engineer II - Community

#c #cplusplus #javascript #python #ruby #typescript #rubyonrails #serverless #node #api #aws #terraform
Bengaluru, India
Full-time
Diligent

Job details https://jobsfordevelopers.com/jobs/software-engineer-ii-community-at-diligent-com-jun-25-2025-2e9ca8?utm_source=mastodon.world&utm_medium=social&utm_campaign=posting
#jobalert #jobsearch #hiring

Hive AI is hiring Software Engineer - Backend

#node #api #rest #postgresql
Seattle, Washington
Full-time
Hive AI

Job details https://jobsfordevelopers.com/jobs/software-engineer-backend-at-thehive-ai-apr-21-2022-0e9a86?utm_source=mastodon.world&utm_medium=social&utm_campaign=posting
#jobalert #jobsearch #hiring

Back in 2020, I wanted to build a poor man's DDNS solution for my home lab. My idea was a Telegram bot that I'd ask what the IP is, and it would respond with the current public IP of my behind-NAT router. I know, sounds insane, and I never did it. However, in the process, I got quite annoyed by how shitty most of the "what's my IP address" websites were, so I built my own one.

I was going to host it on #Vercel, and v1 was a #Go handler. I thought it was going to be fast, but the cold starts aren't very good on Vercel's free plan, so it was pretty slow.

v2 was the same idea, but repackaged as a JS function. It was a bit faster, but not by much, but I didn't care. It did what it needs to do, that's the important thing.

I am in the process of migrating my projects off GitHub and Vercel now. I was thinking about how I could run ip differently, how would I self-host it? Should it still be a #Node.js handler? Back to Go? And then, an idea struck me: Do I even need an app for that? Can't I do it one layer below?

Introducing: ip v3. Now it runs completely in #Caddy. There is no reverse proxy anywhere; Caddy just responds with the client IP immediately. I now self-host it on a cheap VPS, and it's incredibly fast. I now definitely know there is no tracking involved. And, the biggest thing—it now supports IPv6, while Vercel laughably does not. It's just better in every single way.

https://codeberg.org/kytta/ip

Makes me want to implement more stuff directly in Caddy

Optique 0.4.0 Released!

Big update for our type-safe combinatorial #CLI parser for #TypeScript:

• Labeled merge groups: organize options logically
• Rich docs: brief, description & footer support
• @optique/temporal: new package for date/time parsing
• showDefault: automatic default value display

The help text has never looked this good!

#JavaScript #opensource #Node.js #Deno #Bun

ClickUp is hiring Senior Backend Engineer, Inbox

#typescript #node #aws #docker #kubernetes #postgresql #seniorengineer
Bulgaria
Full-time
ClickUp

Job details https://jobsfordevelopers.com/jobs/senior-backend-engineer-inbox-at-clickup-com-mar-20-2025-124e47?utm_source=mastodon.world&utm_medium=social&utm_campaign=posting
#jobalert #jobsearch #hiring

CLEAR is hiring Senior Frontend Engineer

#javascript #typescript #react #node #aws #docker #kubernetes #seniorengineer
New York City, New York
Full-time
CLEAR

Job details https://jobsfordevelopers.com/jobs/senior-frontend-engineer-at-clearme-com-jul-8-2025-6eca80?utm_source=mastodon.world&utm_medium=social&utm_campaign=posting
#jobalert #jobsearch #hiring

Can we make better conference chairs? Steelcase is trying with its Node chairs, which can move and swivel.

https://www.conferencesthatwork.com/index.php/event-design/2013/06/better-cconference-chairs

ClickUp is hiring Senior Backend Engineer, Fields

#typescript #node #aws #seniorengineer
Poland
Full-time
ClickUp

Job details https://jobsfordevelopers.com/jobs/senior-backend-engineer-fields-at-clickup-com-jun-13-2025-508d7c?utm_source=mastodon.world&utm_medium=social&utm_campaign=posting
#jobalert #jobsearch #hiring

It is probably better that no one asks _why_ I'd write code like this, just accept that NodeJS pushed me into doing some questionable things with Nix...

Hive AI is hiring Senior Site Reliability Engineer

#python #ruby #node #api #cicd #docker #awsec2 #kubernetes #postgresql #awss3 #seniorengineer
Seattle, Washington
Full-time
Hive AI

Job details https://jobsfordevelopers.com/jobs/senior-site-reliability-engineer-at-thehive-ai-apr-21-2022-6a1b1c?utm_source=mastodon.world&utm_medium=social&utm_campaign=posting
#jobalert #jobsearch #hiring

#node : the joint of a stem, or the part where a leaf or several leaves are inserted

- French: nœud

- German: der Knoten

- Italian: nodo

- Portuguese: nodo

- Spanish: nodo

------------

Word of The Hour's Annual Survey @ https://wordofthehour.org/r/form

We're excited to announce the release of BotKit 0.3.0! This release marks a significant milestone as #BotKit now supports #Node.js alongside #Deno, making it accessible to a wider audience. The minimum required Node.js version is 22.0.0. This dual-runtime support means you can now choose your preferred #JavaScript runtime while building #ActivityPub #bots with the same powerful BotKit APIs.

One of the most requested features has landed: poll support! You can now create interactive polls in your #bot messages, allowing followers to vote on questions with single or multiple-choice options. Polls are represented as ActivityPub Question objects with proper expiration times, and your bot can react to votes through the new onVote event handler. This feature enhances engagement possibilities and brings BotKit to feature parity with major #fediverse platforms like Mastodon and Misskey.

// Create a poll with multiple choices
await session.publish(text`What's your favorite programming language?`, {
  class: Question,
  poll: {
    multiple: true,  // Allow multiple selections
    options: ["JavaScript", "TypeScript", "Python", "Rust"],
    endTime: Temporal.Now.instant().add({ hours: 24 }),
  },
});

// Handle votes
bot.onVote = async (session, vote) => {
  console.log(`${vote.actor} voted for "${vote.option}"`);
};

The web frontend has been enhanced with a new followers page, thanks to the contribution from Hyeonseo Kim (@gaebalgom)! The /followers route now displays a paginated list of your bot's followers, and the follower count on the main profile page is now clickable, providing better visibility into your bot's audience. This improvement makes the web interface more complete and user-friendly.

For developers looking for alternative storage backends, we've introduced the SqliteRepository through the new @fedify/botkit-sqlite package. This provides a production-ready SQLite-based storage solution with ACID compliance, write-ahead logging (WAL) for optimal performance, and proper indexing. Additionally, the new @fedify/botkit/repository module offers MemoryCachedRepository for adding an in-memory cache layer on top of any repository implementation, improving read performance for frequently accessed data.

This release also includes an important security update: we've upgraded to #Fedify 1.8.8, ensuring your bots stay secure and compatible with the latest ActivityPub standards. The repository pattern has been expanded with new interfaces and types like RepositoryGetMessagesOptions, RepositoryGetFollowersOptions, and proper support for polls storage through the KvStoreRepositoryPrefixes.polls option, providing more flexibility for custom implementations.