John-David Dalton

🚀 Day 2 of Socket Launch Week:

Today we’re introducing a major shift in how developers fix vulnerabilities: Socket Certified Patches.
One-click, safe-by-design remediation for vulnerable dependencies.

🚀 Day Two of Socket Launch Week!

We’re launching @socket.dev Certified Patches—a new way to eliminate vulnerabilities instantly without upgrading your package versions or pulling in risky new code.

Tiny, human-reviewed fixes that give teams a clean path to zero exploitable CVEs.

🚀 pnpm v10.21 is out!
This release introduces two powerful new security & compatibility features:
1️⃣ Automatic Node.js runtime installation for dependencies
2️⃣ Configurable trust policy for detecting supply-chain downgrades

🧵👇

"Let me use sed" is the new "Hold my beer"

Lodash is entering a new chapter 📖 With investment from @sovereign.tech the project is getting key updates for security, modernization, and community-led governance.

Details: hubs.la/Q03NrdfR0

Introducing Socket Firewall: Free, Proactive Protection for ... Socket Firewall is a free tool that blocks malicious packages at install time, giving developers proactive protection against rising supply chain atta...

Introducing Socket Firewall: free, proactive protection for your software supply chain
@dale.link @socket.dev
socket.dev/blog/introdu...

#ECMAScript #JavaScript

Socket Integrates With Bun 1.3’s Security Scanner API - Sock... Socket now integrates with Bun 1.3’s Security Scanner API to block risky packages at install time and enforce your organization’s policies in local de...

🚀 Socket now integrates with Bun 1.3’s new Security Scanner API! @bun.sh users can now protect their projects from malicious packages, typosquatting, & other supply chain attacks. Great to see Bun moving fast to protect devs with this new API!

socket.dev/blog/socket-...

Ongoing Supply Chain Attack Targets CrowdStrike npm Packages... Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that previously hit Tinycolor and dozen...

🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.

Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript

pnpm 10.16 Adds New Setting for Delayed Dependency Updates -... pnpm's new minimumReleaseAge setting delays package updates to prevent supply chain attacks, with other tools like Taze and NCU following suit.

After recent npm supply chain attacks, @pnpm.io 10.16 adds a setting for delayed dependency updates.

Tools like Taze and npm-check-updates are testing similar “maturity” options, hinting at a cautious new trend in #JavaScript package management.

socket.dev/blog/pnpm-10... #NodeJS

In the past week "minimumReleaseAge" was added to pnpm 10.16.0 and also "maturity-period" added to taze 19.6.0 🙌

Release pnpm 10.16 · pnpm/pnpm Minor Changes There have been several incidents recently where popular packages were successfully attacked. To reduce the risk of installing a compromised version, we are introducing a new settin...

pnpm v10.16.0 adds "minimumReleaseAge", a setting for defining how long a version has to have been published before pnpm will install it.

A nice countermeasure against accidental installs of short-lived compromised packages before they get taken down. Not a 100% fix, but a great additional step!

🚨 Using setImmediate() in your Node.js apps? You might be creating silent performance bombs that only explode in production.

Our latest webinar breaks down why this "simple" async function is one of the most misunderstood tools in Node.js 🧵👇

url-pattern-list Efficiently match URLs against a collection of URL patterns. Latest version: 0.5.0, last published: 12 minutes ago. Start using url-pattern-list in your project by running `npm i url-pattern-list`. Th...

URLPattern is about to land in all browsers! 🎉

The only problem is it's slow to match URLs against a large set of patterns by linearly scanning.

So I just made url-pattern-list: a utility that parses patterns into a efficient prefix-tree for 2-30x faster matching! 😲

www.npmjs.com/package/url-...

Active Supply Chain Attack: npm Phishing Campaign Leads to P... Popular npm packages like eslint-config-prettier were compromised after a phishing attack stole a maintainer’s token, spreading malicious updates.

🚨 Active supply chain attack on npm:
Multiple Prettier tooling packages were compromised through the phishing campaign we published about just hours ago. Watch out for more compromised accounts and malicious packages.

Follow-up: socket.dev/blog/npm-phi... #nodejs #npm

I need to revisit the ask :)

Announcing Oxlint 1.0 The first stable version of Oxlint, a fast & easy-to-use Rust-powered linter for JavaScript and TypeScript, is out. Learn about its 50~100x speed advantage over ESLint, support for 500+ rules, real-wo...

We're thrilled to announce the first stable release of Oxlint - version 1.0!

Our Rust-powered JavaScript/TypeScript linter delivers 50~100x faster performance than ESLint with 500+ rules and zero configuration required.

Time to give it a try!

voidzero.dev/posts/announ...

A tip I learned from a client this week: Before closing out an AI agent coding session, ask the agent to update your copilot-instructions.md file with what it learned. That saves time by adding context for future prompts.

github.com/eslint/eslin...

It is *wild* how simple that change is for that kind of startup perf boost 😍

ESLint enables the V8 compile cache by default in Node.js v22+. The result on my machine is a load time reduction of around 90%.

a game where you play a buddy duo called Chick and Nugget

- sick 3D platformer!
- everything is made out of crafting materials
- levels open, unfold, rotate
- theme song by Banjo-Kazooie composer
- voice cast ft the voice of Sly Cooper

PaperKlay, coming 27th May, please DM for codes

ECMAScript excitement 😉

Node.js 24 LTS ships these new JS features 🎉

🔶 Atomics.pause
🔶 Error.isError
🔶 Explicit Resource Management (`using`)
🔶 Float16Array
🔶 Intl.DurationFormat
🔶 Promise.try
🔶 RegExp.escape
🔶 RegExp Modifiers
🔶 RegExp Duplicate Named Capture Groups

✂️ Knip v5.54.0 is out

→ Use `--fix --format` to format modified files, using Formatly and your project's formatter + config ✨

→ Support aliases from plugins, added for Vite, Vitest & webpack (`resolve.alias`)

→ Simplified plugin development (removed `resolveEntryPaths`, use only `resolveConfig`)

Node.js — Node v24.0.0 (Current) Node.js® is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Node.js 24 is here and it's looking good 😎🚀

Featuring updates to V8 v13.6, npm v11, improved Permission Model and more new features in the blog.

Check it out and let us know what you think: hubs.ly/Q03lfLDC0

Super excited to share what I've been working on lately. Socket can now automagically fix security alerts with an autopilot mode ⚡🪄📦

🔥 Launch Day 5: We’re so excited to launch socket fix — a CLI tool that automatically upgrades vulnerable dependencies, runs your tests, and even auto-merges safe updates in CI. From alert to merged fix. Zero friction.

Socket Acquires Coana to Bring Reachability Analysis to Ever... Socket is bringing best-in-class reachability analysis into the platform — cutting false positives, accelerating triage, and cementing our place as th...

🚀 Big news! Socket is acquiring Coana, bringing best-in-class reachability analysis to modern SCA! Coana's technology reduces false positives by up to 80%, letting teams focus on vulnerabilities that actually matter. #AppSec 1/4

We got it working 💪

The JavaScript Oxidation Compiler A collection of high-performance JavaScript tools written in Rust

Announcing Oxlint Beta: oxc.rs/blog/2025-03...