Image for post
Image for post

Update: This is what our official response and mitigation strategy looks like Greenkeeper Verify

Last Friday I came home from a very nice evening out with friends. It was a bit earlier than usual, because I was about to go on a weekend trip to Hamburg with my partner the next morning at 7am.

I know I probably shouldn’t be doing this but I had one last look at my Twitter client, just to check if something important happened in my absence. And indeed, there was a suspicious tweet.

Where it a all began

Greenkeeper is a service I’m running together with my friends at The Neighbourhoodie. It works by sending pull requests to keep npm dependencies up to date. But the pull request in the tweet above didn’t look right, because the actual diff was total nonsense — there was no way it was coming from us. Was this screenshot just a weird way the Karma project was expressing their appreciation for the service? Not really — quickly I realized that someone created a GitHub account called “greenkeeperlo-bot”, which is the spitting image of our account “greenkeeperio-bot”, to send out spammy pull requests in our name. They had copied our avatar, pull request bodies, our commit message and branch naming pattern. The commits itself were faked by signing them of using our bot’s email address — a well known problem in how GitHub works. …


Image for post
Image for post

How to make use of npm’s package distribution tags to create release channels just like Google Chrome’s

Software releases are exciting for both package authors and users. The hard work of the past weeks is finally going to be manifested in this one shiny new version. All the to-do list items are crossed off, the tests are green, the release blogpost is ready. Soon it will be read and shared by thousands, Twitter is going to fill up with praise and cheering. Phew! Done! 💪🎉

The excitement of a release is an important factor to keep everyone involved in a project happy and motivated and it’s a lot of fun. …


In the JavaScript and Node.js world we’re having an incredible amount of modules available at our fingertips. And we have great tools like npm and great conventions like semantic versioning that help us to make productive use of them. One of the most important features in that regard are version ranges. It’s a simple way to declare your compatibility with a dependency — in a future proof way.

Let’s say we started using lodash when it was at version “3.3.1”, we can then declare our dependence on that package using the caret range “^3.3.1”, …


In this article I want to explain why this one particular lifecycle script causes so much confusion and debate.

Edit: To mitigate the confusing nature of prepublish two new scripts where added to npm as of version 4.0.0. prepublishOnly and prepare.

The process of publishing a package is fragile, because it consists of many tiny steps — each of them important, because the smallest mistake can break your users’ apps and modules. It is therefore important to automate as much of it as possible. npm’s solution for this are lifecycle event hooks, which allow you to execute arbitrary commands before or after something important happens, like the publishing of a package.

prepublish is one of these scripts and — as recommended by the official documentation—it can be used to transpile and minify your code and to fetch “remote resources that your package will use”. …


Image for post
Image for post
Nature around the conference venue. Photo by Lena Reinhard.

On March 7th the first ever .concat() web development conference took place in Salzburg, Austria. After sharing some insights on “How much it cost us to make more attendees feel safe and welcome”, I want to focus on 3 things that I believe helped to attract diverse and high quality speakers.

Really caring about a diverse lineup, we knew “A Code of Conduct [would not be] Enough”. …


Image for post
Image for post
Folks chatting in front of the front desk. Photo by Lena Reinhard

Last weekend the first ever .concat() web development conference took place in Salzburg, Austria. Being a low-budget community event, we didn’t have a lot of money. But we tried to show our attendees and speakers that we care about them. Here’s what we did and what it cost us.

Code of Conduct

Adopting a Code of Conduct was free. We put it up on our website, made it part of the ticket purchasing process, mentioned it on Twitter and on stage. You can get the text from other great conferences or confcodeofconduct.com and read a ton about it. …

Stephan Bönnemann-Walenta

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store