Programmer, Engineer, Problem Solver. Maintainer of Dependabot. Principal software engineer at Microsoft/GitHub.
Jamie Magee
Loading...
Turns out "let me just npm install real quick" was a security incident the whole time
v12 is making dependency install scripts opt-in. I helped build it. You're welcome/I'm sorry.
github.blog/changelog/20...
Npm registry sets stage for more secure package publishing
My OSSNA talk is now up on the Linux Foundation YouTube channel: Beyond SBOMs
SBOMs tell you what's in your software. Not what you're allowed to do with it. That's the gap ClearlyDefined fills.
If you've ever fought a NOTICE file, this one's for you: www.youtube.com/watch?v=gUF1...
🚀 Wow, this is finally happening!
npm plans to block postinstall scripts by default in a future release
In the near future (phased rollout), we will likely get a warning
github.com/npm/cli/pull...
With Ankit Kumar Honey, senior engineering manager at GitHub, working on the Dependabot ecosystem, and Jamie Magee, principal software engineer at Microsoft, focusing on open source software and supply chain security, who contributed the Dependabot Nix support.
fulltimenix.com/episodes/dep...
Seattle's light rail & streetcar lines carried 4.8 million riders in April—a 44% increase above March, after Link Line 2 was extended to connect Seattle & Bellevue across Lake Washington.
Seattle's light rail & streetcar lines are now the most-ridden in the nation, above LA, Boston, or San Diego.
Our next npm major version, v12, introduces security-related default changes to npm install. All these changes are available behind warnings in npm today on 11.16.0 or newer, so you can…
github.blog
shipped three new build warnings so your dotnet SDK can finally tell on itself. you're welcome
jamiemagee.co.uk/blog/a-new-w...
All the world's a stage, and all the packages are merely players
I'll be speaking at the Open Source Summit on Tuesday at 11:55 about how Clearly Defined can enhance your SBOMs and make license data actionable.
I'll also be at the Microsoft booth on Monday morning. See you there!
osselcna2026.sched.com/event/2JQvf/...
Jamie Magee
npm staged publishing has shipped 🎉
Your CI can now stage a publish without 2FA, but a human still has to approve it with a hardware key before anything goes live on the registry. Stolen npm tokens stop being game over. Big deal for the Shai-Hulud class of worm.
docs.npmjs.com/staged-publi...
Jamie Magee
Heads up maintainers of packages, this is a big deal:
github.com/orgs/communi...
When NuGet finds a vulnerable package in your project, it tells you. NU1901 through NU1904 have warned about CVEs in your dependencies for a while now. The SDK that runs the build, though? That’s been...
Documentation for the npm registry, website, and command-line interface
docs.npmjs.com
As initially announced on npm’s X channel, we have invalidated granular access tokens with write access that bypass two-factor authentication. This action was taken to help prevent supply chain att...
