Matt Travi

🚨 npm phishing alert!
Attackers are sending emails from spoofed support@npmjs.org addresses linking to a typosquatted clone site (npnjs.com) to steal credentials. This attack is designed to hijack npm accounts. Careful with those email links: socket.dev/blog/npm-phi... #nodejs #JavaScript

For no reason at all, I feel the need to remind folks that Node.js is not in competition with other runtimes like Deno or Bun. Companies compete. For profit entities compete. Private equity competes. Non-profits do not compete. Non-profits just exist. Use Node.js, use Deno, use Bun, use what works..

Node.js — Node v18.20.8 (LTS) Node.js® is a JavaScript runtime built on Chrome's V8 JavaScript engine.

New @nodejs.org 18.20.8 release. This is the last planned release of Node.js 18 before it reaches End-of-Life at the end of April 2025. You are recommended to update to Node.js 20 or 22 to continue to receive security updates after that date.
nodejs.org/en/blog/rele...

🔑 under-discussed point — why they were on signal:

We want to get some early feedback on this tool. Is there anyone in my network working in OSS who could be interested to try it out? It will be just a few minutes!

I'm even more afk than usual this week, so I apologize if I'm slow to respond. I saw your semantic-release issue, and it sounds interesting. I'm ok with keeping the conversation in the open there, but my contact form is a good option so we could chat over email too

I need examples of vulnerabilities reported against npm packages that maintainers of the package or another package depending on it were annoyed by.
Doesn't have to be fresh, last 5 years is ok.

Respond with ghsa link or package+version - I can look it up myself.

(repost for reach a lot please)

Great sticker ITW

A Tesla where the owner has put a Buick logo on the center of the trunk, a Buick badge under the left taillight and a LaCrosse CX badge under the right taillight.

Imagine your car becoming so hated that owners are like "please let them think I'm driving a Buick!"

> changes the behavior for the obj.toString folks

Major

All y'all investing your careers in generative AI should be keeping a close eye on cases like this. It's early but so far every judge has ruled in favor of copyright holders and against the idea that LLM outputs fall under fair use. If they ALSO rule that code repos with LLM-produced work in them

An image highlighting the SHA in the URL after hitting the "Y" key on GitHub

🚨PSA: When copying GitHub URLs, always hit "Y" first!

Hitting "Y" adds the current SHA to the URL. This ensures your link doesn't break as the repository changes over time.

I'm still very happy with mine from Autonomous

Want to influence priorities in an OSS project? Here's the secret: demand nothing, be kind, and if possible roll up your sleeves to contribute. OSS thrives on collaboration, not demands. #OpenSource #OSS

Semantic Release Semantic Release has 35 repositories available. Follow their code on GitHub.

Hi, folks 👋

I maintain github.com/semantic-rel... and github.com/repository-s...

It’s a big day for Cucumber: we’re back in community ownership.

cucumber.io/blog/open-so...

A graphic created by our graphic designer, Clelia Rella. The light background has an a green and blue abstract plant where the leaves are communication bubbles and the top stem a couple rain drops on the right half of the image, our Home Assistant antenna on the left side barely visible. Our Home Assistant logo is in the top left. Text overlay reads: Understanding our community The 2024 Home Assistant Survey

As we continue to grow and evolve, so does our commitment to making Home Assistant more inclusive, accessible, and aligned with the diverse needs of our community. To that end, we’re launching an annual survey—and we hope you’ll take part! 👇🏼

home-assistant.typeform.com/communitysur...