Reading up on npm
12 deep · digging since jan 19
- Nub — an all-in-one toolkit for Node.js
Nub is a TypeScript-first toolkit for Node.js that provides a faster npm/pnpm run, a pnpm-compatible package manager, and a Node version manager, with no lock-in.
- .gitignore Isn't the only way to ignore files in Git
The article explores alternative Git ignore mechanisms beyond .gitignore, including .gitattributes for diff suppression and local exclude files, while sparking debate on reviewing lockfile diffs.
- Open Source vs the Invisible Hand
Open source software production defies standard economic theory by producing stable, valuable, and widely-used goods despite lacking price signals, contracts, or incentives that textbooks predict are necessary.
- A backdoor in a LinkedIn job offer - Roman Imankulov
A fake recruiter sent a LinkedIn job candidate a GitHub repo with a backdoor that executes on npm install by running a remote-controlled command payload hidden in a test file.
- How to Evaluate an npm Package - 2026 Edition
A practical checklist for evaluating npm packages in 2026 covering security, maintenance, provenance, CI quality, and incident response to make informed dependency decisions.
- Package managers that package package managers
Andrew Nesbitt built a matrix showing which of 42 package managers can install each other, finding a 14-hop chain from AUR to an Elm compiler.
- Dumb Ways for an Open Source Project to Die
The piece enumerates dozens of distinct ways open-source projects become effectively dead, from maintainer abandonment to sabotage and ecosystem shifts.
- Before GitHub | Armin Ronacher's Thoughts and Writings
Armin Ronacher argues that as GitHub declines due to instability and product churn, open source must preserve its history by moving to decentralized, archivally-funded homes that avoid the pre-GitHub era's fragility.
- GitHub Actions is the weakest link
GitHub Actions' default features—mutable tags, pull_request_target, template injection, and write-scoped tokens—have enabled a chain of supply-chain attacks on open-source registries, and GitHub's opt-in security roadmap won't fix the root causes.
- Email.md - Responsive Emails, Written in Markdown
Email.md converts Markdown into responsive, email-safe HTML that renders consistently across all email clients.
- Just a moment...
jQuery 4.0.0 final release drops IE<11 support, removes deprecated APIs, adopts ES modules, adds Trusted Types support, and reduces size by over 3KB gzipped.