A major npm registry vulnerability

GitHub on npm Ecosystem Security (and a Major Bug They’ve Fixed) — GitHub became the custodians of the main npm registry in 2020 when it acquired npm Inc. and in this post they share details on how they’re improving its security. Rather worryingly, they recently identified two issues, one of which meant an attacker could publish new versions of any npm package without proper authorization(!) GitHub assures us, however, it has not been “exploited maliciously” during the timeframe for which they have telemetry (September 2020 onward).

Mike Hanley (GitHub)

A Complete Intro to Building For Real-Time — Join Brian Holt for this detailed course on building apps that can push client messages up to the server and talk in real-time. You’ll learn long polling, how to open web sockets, SocketIO abstraction, HTTP/2 Push, retry strategies, and more.

Frontend Masters

Announcing TypeScript 4.5 — Just two weeks after the RC comes the final release. What’s new? The formerly promised ES module support for Node is now merely experimental and in nightly releases only, but you also get the Awaited type, faster load times via Node’s realpathSync.native, import assertion support, and support for the lib setting for node_modules so you can update your types on your own terms.

Daniel Rosenwasser (Microsoft)

Electron 16.0.0 Released — Electron, the toolkit for building cross platform desktop apps with JavaScript, is now one of those projects with a fast, regular release cadence, so no huge changes here, but you get Chrome 96, Node 16.9.1 and V8 9.6 support, as well as the WebHID API.

OpenJS Foundation

Execa 6.0: A Better child_process — A way to run external processes from your Node app. Has a Promise-based interface, better support for Windows, allows up to a 100MB max buffer (vs the 200KB child_process uses). Now a pure ES module.

Sindre Sorhus