GitHub

Private npm module support

If a private npm module is listed as a dependency in a package.json, then Renovate will attempt to keep it up-to-date by querying the npm registry like it would for any other package. Hence, by ...
IT News For Australia Business

'Protestware' npm package dependency labelled supply-chain attack

Russia's invasion of Ukraine has spilt over into developer-space, with a well-known npm maintainer adding "protestware" as a dependency to a very popular package. Security vendor Snyk is tracking what ...
GitHub

Support looking for modules under node_modules when importing

The functionality requested below is currently implemented in typescript since at least 1.8 with one main difference: In TypeScript it is a lot harder to re-use typescript modules compared to re-using ...
CSOonline

Developer sabotages own npm module prompting open-source supply chain security questions

The node-ipc developer attempt to protest Russia's attack on Ukraine has the unintended consequence of casting more doubt in software supply chain integrity. The developer of a popular JavaScript ...
IT News For Australia Business

Unknown dev gets rights to popular module, adds crypto stealer

A hugely popular open source Javascript npm module had malicious code injected after the original developer handed it over to another unknown person to maintain. New Zealander Dominic Tarr maintained ...