frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Show HN: Tips to stay safe from NPM supply chain attacks

https://github.com/bodadotsh/npm-security-best-practices
17•bodash•4h ago
Hi everyone, given the recent increase of attacks on the NPM supply chain, I've put together a list of tips and tricks to help developers stay secure on this specific topic: https://github.com/bodadotsh/npm-security-best-practices

I'd love for you to check it out, and contribute your own insights and best practices to make this a comprehensive resource for the community.

Cheers!

Comments

turtleyacht•2h ago
For reducing external dependencies, it would be nice to somehow know every call made to a package, generating the call tree to replace. That becomes the API of the internal, replacement package.
privatelypublic•1h ago
Not sure that's possible with JS.
zenmac•55m ago
You mean this: https://npmgraph.js.org
indigodaddy•46m ago
Someone recommended this to me on another thread and tried it yesterday and it seems very good:

https://github.com/safedep/vet

HoyaSaxa•31m ago
For most projects, overriding every single transitive dependencies to be pinned is impractical.

Instead, for those using npm, I'd highly suggest using `npm ci` both locally and of course on CI/CD. This will ensure the (transitive) dependencies pinned in the lockfile are used.

TIL on the `npm install --before="$(date -v -1d)"` trick; thanks for that! Using that to update (transitive) dependencies should be really helpful.

For those using GitHub Actions, I'd also recommend taking advantage of the new dependabot cooldown feature to reduce the likelihood of an incident. Also make sure to pin all GitHub Action dependencies to a sha and enforce that at the GitHub repo/account level.

Be Careful with Go Struct Embedding

https://mattjhall.co.uk/posts/be-careful-with-go-struct-embedding.html
62•mattjhall•3h ago•32 comments

Sj.h: A tiny little JSON parsing library in ~150 lines of C99

https://github.com/rxi/sj.h
312•simonpure•9h ago•161 comments

Lightweight, highly accurate line and paragraph detection

https://arxiv.org/abs/2203.09638
58•colonCapitalDee•5h ago•6 comments

Show HN: I wrote an OS in 1000 lines of Zig

https://github.com/botirk38/OS-1000-lines-zig
107•botirk•3d ago•13 comments

40k-Year-Old Symbols in Caves Worldwide May Be the Earliest Written Language

https://www.openculture.com/2025/09/40000-year-old-symbols-found-in-caves-worldwide-may-be-the-ea...
101•mdp2021•3d ago•61 comments

My new Git utility `what-changed-twice` needs a new name

https://blog.plover.com/2025/09/21/#what-changed-twice
33•jamesbowman•4h ago•11 comments

Calculator Forensics (2002)

https://www.rskey.org/~mwsebastian/miscprj/results.htm
63•ColinWright•3d ago•25 comments

Procedural Island Generation (VI)

https://brashandplucky.com/2025/09/28/procedural-island-generation-vi.html
29•ibobev•5h ago•3 comments

DXGI debugging: Microsoft put me on a list

https://slugcat.systems/post/25-09-21-dxgi-debugging-microsoft-put-me-on-a-list/
216•todsacerdoti•11h ago•69 comments

I forced myself to spend a week in Instagram instead of Xcode

https://www.pixelpusher.club/p/i-forced-myself-to-spend-a-week-in
195•wallflower•12h ago•72 comments

Why your outdoorsy friend suddenly has a gummy bear power bank

https://www.theverge.com/tech/781387/backpacking-ultralight-haribo-power-bank
168•arnon•13h ago•204 comments

Timesketch: Collaborative forensic timeline analysis

https://github.com/google/timesketch
102•apachepig•9h ago•10 comments

Model Flop Utilization Beyond 6ND

https://jott.live/markdown/mfu
7•brrrrrm•3d ago•0 comments

INapGPU: Text-mode graphics card, using only TTL gates

https://github.com/Leoneq/iNapGPU
39•userbinator•3d ago•4 comments

Show HN: Tips to stay safe from NPM supply chain attacks

https://github.com/bodadotsh/npm-security-best-practices
17•bodash•4h ago•5 comments

Node 20 will be deprecated on GitHub Actions runners

https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
74•redbell•1d ago•24 comments

Unified Line and Paragraph Detection by Graph Convolutional Networks (2022)

https://arxiv.org/abs/2503.05136
85•Qision•11h ago•11 comments

Zig got a new ELF linker and it's fast

https://github.com/ziglang/zig/pull/25299
66•Retro_Dev•3h ago•15 comments

How can I influence others without manipulating them?

https://andiroberts.com/leadership-questions/how-to-influence-others-without-manipulating
30•kiyanwang•3h ago•16 comments

How Isaac Newton discovered the binomial power series (2022)

https://www.quantamagazine.org/how-isaac-newton-discovered-the-binomial-power-series-20220831/
51•FromTheArchives•3d ago•8 comments

Discovering new solutions to century-old problems in fluid dynamics

https://deepmind.google/discover/blog/discovering-new-solutions-to-century-old-problems-in-fluid-...
32•roboboffin•3d ago•2 comments

Apple Silicon GPU Support in Mojo

https://forum.modular.com/t/apple-silicon-gpu-support-in-mojo/2295
100•mpweiher•5h ago•37 comments

LaLiga's Anti-Piracy Crackdown Triggers Widespread Internet Disruptions in Spain

https://reclaimthenet.org/laligas-anti-piracy-crackdown-triggers-widespread-internet-disruptions
318•akyuu•10h ago•137 comments

Oxford loses top 3 university ranking in the UK

https://hotminute.co.uk/2025/09/19/oxford-loses-top-3-university-ranking-for-the-first-time/
238•ilamont•10h ago•342 comments

Bringing Observability to Claude Code: OpenTelemetry in Action

https://signoz.io/blog/claude-code-monitoring-with-opentelemetry/
24•pranay01•7h ago•11 comments

A coin flip by any other name (2023)

https://cgad.ski/blog/a-coin-flip-by-any-other-name.html
47•lawrenceyan•3d ago•5 comments

EU to block Big Tech from new financial data sharing system

https://www.ft.com/content/6596876f-c831-482c-878c-78c1499ef543
32•1vuio0pswjnm7•3h ago•17 comments

The Counterclockwise Experiment

https://domofutu.substack.com/p/the-counterclockwise-experiment
41•domofutu•1d ago•13 comments

Show HN: Freeing GPUs stuck by runaway jobs

https://github.com/kagehq/gpu-kill
28•lexokoh•10h ago•0 comments

Why, as a responsible adult, SimCity 2000 hits differently

https://arstechnica.com/gaming/2025/09/thirty-years-later-simcity-2000-hasnt-changed-but-i-have/
218•doppp•3d ago•284 comments