Security incidents are increasing across JavaScript and adjacent ecosystems, with more packages being compromised and vulnerabilities being widely reported. A worm campaign continues compromising users and maintainers across multiple ecosystems, impacting popular packages and GitHub Actions. Compromises have also affected OpenAI employees, leading to regeneration of code signing certificates. Yarn and npm are improving security, while Bun and pnpm are being ported to Rust. On the React Native side, Hermes-node is described as exciting but still early. TC39 meetings are progressing several proposals, indicating ongoing evolution in the JavaScript language ecosystem.
"More packages are being compromised, and blog posts are also covering recent RSC vulnerabilities. Maybe we're reaching a tipping point, and better security practices will consolidate this year. On the React Native side, Hermes-node is quite exciting, although it's very early. An exciting TC39 meeting is currently underway, and several proposals have already progressed. Yarn and npm are improving on the security side. Bun and pnpm are being ported to Rust."
"Remember last week's TanStack Router compromise? The dangerous worm from TeamPCP keeps compromising users and maintainers across ecosystems, affecting popular packages such as echarts-for-react and @antv, and GitHub actions such as actions-cool/issues-helper. OpenAI employees got compromised, leading them to regenerate code signing certificates. Grafana has been"
Read at Thisweekinreact
Unable to calculate read time
Collection
[
|
...
]