Update: This is what our official response and mitigation strategy looks like Greenkeeper Verify

Last Friday I came home from a very nice evening out with friends. It was a bit earlier than usual, because I was about to go on a weekend trip to Hamburg with my partner the next morning at 7am.

I know I probably shouldn’t be doing this but I had one last look at my Twitter client, just to check if something important happened in my absence. And indeed, there was a suspicious tweet.

Greenkeeper is a service I’m running…


How to make use of npm’s package distribution tags to create release channels just like Google Chrome’s

Software releases are exciting for both package authors and users. The hard work of the past weeks is finally going to be manifested in this one shiny new version. All the to-do list items are crossed off, the tests are green, the release blogpost is ready. Soon it will be read and shared by thousands, Twitter is going to fill up with praise and cheering. Phew! Done! 💪🎉

The excitement of a release is an important factor to keep everyone involved in a project happy and motivated and it’s a lot of fun. …


In the JavaScript and Node.js world we’re having an incredible amount of modules available at our fingertips. And we have great tools like npm and great conventions like semantic versioning that help us to make productive use of them. One of the most important features in that regard are version ranges. It’s a simple way to declare your compatibility with a dependency — in a future proof way.


In this article I want to explain why this one particular lifecycle script causes so much confusion and debate.

Edit: To mitigate the confusing nature of prepublish two new scripts where added to npm as of version 4.0.0. prepublishOnly and prepare.

The process of publishing a package is fragile, because it consists of many tiny steps — each of them important, because the smallest mistake can break your users’ apps and modules. It is therefore important to automate as much of it as possible. npm’s solution for this are lifecycle event hooks, which allow you to execute arbitrary commands before or after something important happens, like the publishing of a package.

prepublish is one of these scripts and —…


On March 7th the first ever .concat() web development conference took place in Salzburg, Austria. After sharing some insights on “How much it cost us to make more attendees feel safe and welcome”, I want to focus on 3 things that I believe helped to attract diverse and high quality speakers.

Really caring about a diverse lineup, we knew “A Code of Conduct [would not be] Enough”. …


Last weekend the first ever .concat() web development conference took place in Salzburg, Austria. Being a low-budget community event, we didn’t have a lot of money. But we tried to show our attendees and speakers that we care about them. Here’s what we did and what it cost us.

Adopting a Code of Conduct was free. We put it up on our website, made it part of the ticket purchasing process, mentioned it on Twitter and on stage. You can get the text from other great conferences or confcodeofconduct.com and read a ton about it. …

Stephan Bönnemann-Walenta

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store