npm weekly #73: no love for HTTP urls in shrinkwrap files, npm ❤️’s Rust, and the CLI asks for RFCs!

Originally published December 15, 2016

Security reminder: Avoid HTTP URLs in shrinkwrap files

Earlier this week, we announced a security issue disclosed to us by Deian Stefan, in which registry packages containing HTTP URLs could allow for remote execution.

The issue has been resolved, but you can read the full details on the vulnerability, the severity of the impact, and the solution on our blog: Avoid HTTP URLs in shrinkwrap files.

npm ❤️ Rust

Your two favorites, npm and the Rust language, have combined forces! npm recently began replacing C and rewriting performance-critical bottlenecks in our registry service architecture with Rust. See who else is using the services programming language in production for yourself.

Wombat-Driven Understanding

Last month, Raquel Vélez spoke at JSConf Asia in Singapore, and the video of her talk is out now. Watch Wombat-Driven Understanding — An Interactive Guide To Using npm for some npm tips and tricks.

Check this out: date-fns

Looking for the easiest and most consistent tool for manipulating JavaScript dates in Node.js or the browser? Check out date-fns, a simple and modular JavaScript date utility library. We dig it!

Coming soon: npm@5 RFCs

Like winter, npm@5 is coming soon — timed to coincide with Node.js version 8 — so the npm CLI registry team is preparing specifications. To effectively serve everyone in the expansive npm community, we need your input — so after the holiday break we’ll begin sharing RFCs about key design decisions. Learn about the process in a blog post by CLI team head Forrest Norvell, and watch this space: the RFCs will be featured here as they come down the pipe.

What we’re reading: Product Management: Being finite

This time of the year, the pressure to do it all is extra intense, so we loved reading npm human Nicole Sullivan’s piece on Being finite, and how she applies it to product management. “Because I no longer have the illusion of being infinite, I have learned the art of prioritization.” Slow down and give it a read.

npm at Node.js Interactive North America 🌎

In late November and early December, the Node.js Foundation held the Node.js Interactive North America conference, bringing Node fans stateside. npm human Ashley Williams was on hand to bring the State of the Union: npm to the table, and you can see the video of her talk now!

What could be better than wombats at work? (Spoiler: nothing)

We’ve been meaning to share this for a while, because who doesn’t love a good wombats at work video? Check out Chloe, an orphaned wombat at Sydney’s Taronga Zoo, as she accompanies zookeeper Evelyn on a morning walk.

Sponsor the Weekly! Find out how.

Get free socks! Just fix some bugs.

Get this delivered to your inbox! Subscribe to the npm Weekly!

Show your support

Clapping shows how much you appreciated npm, Inc.’s story.