Skip to content
weeklyfoo weeklyfoo

πŸ“° npm

Benchmarks of JavaScript Package Managers

Was not aware of that: pnpm regularly updates this benchmarks that compares npm, yarn and pnpm

weeklyfoo #18 / 2024-02-05
Open
benchmarkpnpmyarnnpm

How to keep package.json under control

Val Town is a React application with a ton of dependencies. It’s complicated, and we have to deal with dependency upgrades all the time.

weeklyfoo #102 / 2025-09-15
Open
dependenciesjavascriptnpm

Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar

Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.

weeklyfoo #69 / 2025-01-27
Open
securitynpm

Leaner npm packument (metadata) contents

And by doing that reducing the size of packuments.

weeklyfoo #42 / 2024-07-22
Open
npm

Modern JavaScript library starter

How to publish a package with TypeScript, testing, GitHub Actions, and auto-publish to NPM

weeklyfoo #18 / 2024-02-05
Open
npmpackagestarter

Nightmares on npm: How Two Malicious Packages Facilitate Data Theft and Destruction

Our threat research team breaks down two malicious npm packages designed to exploit developer trust, steal your data, and destroy data on your machine.

weeklyfoo #54 / 2024-10-14
Open
securitynpm

npm Adopts OIDC for Trusted Publishing in CI/CD Workflows

npm now supports Trusted Publishing with OIDC, enabling secure package publishing directly from CI/CD workflows without relying on long-lived tokens.

weeklyfoo #99 / 2025-08-25
Open
npmoidcsecurity

npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack

npm author Qix’s account was compromised, with malicious versions of popular packages like chalk-template, color-convert, and strip-ansi published.

weeklyfoo #102 / 2025-09-15
Open
securitynpm

npm in Review: A 2023 Retrospective on Growth, Security, and Quirky Facts

A look back, and some funny suprises.

weeklyfoo #16 / 2024-01-22
Open
npm2023

npm malware

Get informed about malicious npm packages in realtime

weeklyfoo #17 / 2024-01-28
Open
npmmalware

NPM registry prank leaves developers unable to unpublish packages

everything fetches everything

weeklyfoo #14 / 2024-01-07
Open
npm

npm trusted publishing with OIDC is generally available

As of today, npm trusted publishing with OpenID Connect (OIDC) is now generally available.

weeklyfoo #97 / 2025-08-11
Open
npm

The Great npm Garbage Patch

Thousands of spam npm packages are polluting the system.

weeklyfoo #46 / 2024-08-19
Open
npmspam

The package that broke NPM (accidentally)

The story behing the &lteverything> npm package that stressed npm

weeklyfoo #15 / 2024-01-14
Open
npm

We shouldn’t have needed lockfiles

About the non sense of lockfiles

weeklyfoo #97 / 2025-08-11
Open
lockfilesnpm

Which npm package has the largest version number?

I spent way too much time on this

weeklyfoo #103 / 2025-09-22
Open
investigationsnpm

Why Does 'is-number' Package Have 59M Weekly Downloads?

Just saying: chain of dependencies!

weeklyfoo #22 / 2024-03-04
Open
npm