As the creator and long-time maintainer of ESLint, Nicholas Zakas is well-positioned to criticize GitHub’s recent response to npm’s insecurity. He found the response insufficient, and has other ideas on how GitHub could secure npm better. On this episode, Nicholas details these ideas, paints a bleak picture of npm alternatives like JSR, and shares our frustration that such a critical piece of internet infrastructure feels neglected.

Featuring

Sponsors

Namespace – Speed up your development and testing workflows using your existing tools. (Much) faster GitHub actions, Docker builds, and more. At an unbeatable price.

Tiger Data – Postgres for Developers, devices, and agents The data platform trusted by hundreds of thousands from IoT to Web3 to AI and more.

Squarespace – A website makes it real! Use code CHANGELOG to save 10% on your first website purchase.

Notes & Links

📝 Edit Notes

Chapters

1 00:00 Welcome to The Changelog 01:01
2 01:01 Sponsor: Tiger Data 02:34
3 03:34 Start the show! 01:21
4 04:55 Recent npm history 05:12
5 10:07 GitHub's response 03:10
6 13:17 Trusted publishing 03:12
7 16:28 What makes it trusted 03:49
8 20:17 What they're not doing 02:36
9 22:53 Sponsor: Namespace 01:38
10 24:31 Misaligned incentives 03:18
11 27:48 One big attack away 03:27
12 31:15 How staffed is npm? 02:17
13 33:32 Is using npm still prudent? 04:22
14 37:54 Pre/post install hooks 09:29
15 47:22 Verified publishers 02:56
16 50:19 Sponsor: Squarespace 01:23
17 51:42 JSR and vlt 05:36
18 57:18 An Anthropic registry 06:06
19 1:03:24 How other ecosystems do it 05:12
20 1:08:36 The cool factor 01:32
21 1:10:07 The profit incentive 02:54
22 1:13:02 Nicholas' work 02:43
23 1:15:44 Connecting with Nicholas 01:07
24 1:16:51 AI: not just hype 02:35
25 1:19:26 Wrapping up 00:25
26 1:19:52 Closing thoughts 01:18

Transcript

⏰ Coming Soon

We're hard at work on the transcript for this episode! Sign in / up to access transcript notifications. 💪