jm + packages   5

Malicious packages in npm
The node.js packaging system is being exploited by bad guys to steal auth tokens at build time. This is the best advice they can come up with:
Always check the name of packages you’re installing. You can look at the downloads number: if a package is popular but the downloads number is low, something is wrong.


:facepalm: What a mess. Security needs to become a priority....
javascript  security  npm  node  packaging  packages  fail 
21 days ago by jm
USA Address & Package Forwarding - Shipito
recommended by Eoin for Parcelmotel-style delivery forwarding
packages  delivery  parcels  parcelmotel  shipito  via:eoin  usa 
april 2017 by jm
left-pad.io
A microservice saviour appears!
In order to prevent such a terrible tragedy from occurring ever again during
our lifetimes, `left-pad.io` has been created to provide all the functionality
of `left-pad` AND the overhead of a TLS handshake and an HTTP request.
Less code is better code, leave the heavy lifting to `left-pad.io`, The String
Experts™.
humor  javascript  jokes  npm  packages  left-pad  strings  microservices  http 
march 2016 by jm
Authenticated app packages on Sandstorm with PGP and Keybase
Nice approach to package authentication UX using Keybase/PGP.
When you go to install a package, Sandstorm verifies that the package is correctly signed by the Ed25519 key. It looks for a PGP signature in the metadata, and verifies that the PGP-signed assertion is for the correct app ID and the email address specified in the metadata. It queries the Keybase API to see what accounts the packager has proven ownership of, and lists them with their links on the app install page.
authentication  auth  packages  sandstorm  keybase  pgp  gpg  security 
november 2015 by jm

Copy this bookmark:



description:


tags: