Haoqun Jiang

Finally, finally! SALVATION HAS ARRIVED! Time to refactor every GitHub Actions workflow! 🎉

Wow, this was unexpected. I've got mixed feelings, but huge congrats to the team!

But there is a language switcher at the bottom of the GoDaddy homepage? And you can use root paths like www.godaddy.com/en to go directly to the English homepage.

Bought. The interactive debugger looks cool!

I rarely feel that the Vue ecosystem is lacking anything, but this time, I truly wish we had a Vue version of this library. Impressive work!

You won't have to worry even without corepack - pnpm reads from `packageManager` too: pnpm.io/npmrc#manage... And you can prevent npm from being used with `devEngines`: github.com/npm/cli/pull...

Finally. I wish the community could migrate from the `packageManager` field to `devEngines` following this - always pinning versions is good in theory but way too cumbersome in practice.

[RFC] Proper Import Attributes support · vitejs vite · Discussion #18534 Context: Import Attributes is now stage 4: https://github.com/tc39/proposal-import-attributes Related PR / issues: #17485 rollup/rollup#5694 There are few different aspects regarding properly impor...

There’s an RFC for this: github.com/vitejs/vite/...

This thing is so useful. Especially for security - ensuring the published package is actually what exists in the source

npm Blog Archive: announcing free Orgs npm Blog (Archive); updates from the npm team are now published on the GitHub Blog and the GitHub Changelog

Can't believe scoped packages wasn't a free feature of npm until 2017-03-22 blog.npmjs.org/post/1587182...

GitHub commit message: docs: add --no flag to npx command to avoid downloading the incorrect package from npm Thanks to @alxndrsn for finding this issue and the insightful blog post. https://www.alxndrsn.com/2024-08-01-npx-binary-confusion/ Also thanks to @lirantal for his newsletter that brought this issue to my attention. https://www.nodejs-security.com/newsletter/npm-supply-chain-security-prisma-orm-security-fun-nodejs-security-challenges Git Diff: - npx vue-cli-service serve + npx --no vue-cli-service serve

😮‍💨 Still paying down the tech debt that accumulated during the transition from non-scoped packages to scoped ones… I’m lucky to have subscribed to @lirantal.com’s Node.js security newsletter. It’s always informative!

- www.alxndrsn.com/2024-08-01-n...
- www.nodejs-security.com/newsletter/n...

Speeding up the JavaScript ecosystem - Rust and JavaScript Plugins Up until recently, supporting JavaScript in Rust based tools has been deemed not worth it. The main concern is the overhead of the de-/serialization cost when sending data back and forth. But there is...

Speeding up the JavaScript ecosystem part 11 is here! This time we're looking at:

Extending Rust tools with JavaScript plugins

marvinh.dev/blog/speedin...

Have you tried `v-memo`?

Reka An open-source library with unstyled, primitive components, accompanied by a variety of examples & use cases ready to be integrated into your projects.

Looks like Reka UI, the rebranded Radix Vue component library, has just got officially released 👀 It's such a cool name. Can't wait to try it out!

Screenshot of Node.js REPL with the following text: › await import ("./index.js") [Module: null prototype] { oneTrueDate: [Function: oneTrueDate] } _.oneTrueDate(new Date()) '2024-03-01'

#TIL So this is the fastest way to import an ES module in the Node.js REPL… How did I never know about the `_` (underscore) auto-assignment in the REPL?!
nodejs.org/api/repl.htm... So many wasted keystrokes over the years!

@rspack/core does not have a postinstall script, so it won’t be in the list in the first place. If the attacker adds one, it won’t be executed by default.
This feature mitigates risks like this, and that’s it, it’s not designed to prevent all possible attacks.

Note it's not about their Node APIs (so Vite isn't affected), just when executing the binaries (i.e. `pnpm exec esbuild`) there will be a performance hit.

In my experience this new default doesn't break many projects.
But it might slow down some native packages a bit.
For example, packages like esbuild, lightningcss-cli try to optimize their binaries in the postinstall scripts; these will no longer be executed by default: github.com/evanw/esbuil...

Resurfacing this post now that pnpm 10 is tagged as latest.

?? The link preview is still available even though I deleted the link? Interesting feature/bug…

And in case you still want that username, you can temporarily change your handle back and forth to reserve it. This feature was introduced about a month ago: bsky.app/profile/bsky...

@acemarke.dev Hi Mark, I just noticed that the Bluesky link on your GitHub profile is invalid since you changed your handle. Just wanted to give you a heads-up in case you'd like to update it

The discoveries are really cool, though

Any websites were able to send any requests to the development server and read the response ### Summary Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket co...

Vite 6.0.9 / 5.4.12 / 4.5.6 has been released with *breaking changes* due to security issues. I recommend upgrading it. Some users may need to update the config options. Please check github.com/vitejs/vite/... if you encountered any errors.

Sure, that sounds interesting! What features do you have in mind?

Yes, very helpful!
It's major inspiration for me to start this list, as well as LavaMoat, and I have put links to both of them in the README.

I forked Bun's internal allowlist for those who need the protection from this new default but don't want to bother reviewing every dependency one-by-one: github.com/haoqunjiang/...

To amplify the message maybe we can add codenames to minor releases, while attach nothing to the major ones, so that only the minor releases are cool?

The intrusive design is mostly due to the intrinsic complexity that makes overriding rules in plain array configs almost impossible without knowing the underlying implementation. Type-aware linting in Vue + TypeScript needs a complete overhaul… which I'd like to work on after this stop-gap measure.

Trying to make configuring ESLint + Vue + TypeScript a bit easier with a few helper functions, but I'm afraid it might be too intrusive: github.com/vuejs/eslint...
What's your opinion about this API?