[B! npm] efclã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

efcl id:efcl

npmã«é–¢ã™ã‚‹efclã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (821)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

https://socket.dev/blog/npm-to-implement-staged-publishing
efcl 2026/01/15
npmã®ã‚µãƒ—ãƒ©ã‚¤ãƒã‚§ãƒ¼ãƒ³æ”»æ’ƒã®å¯¾ç–ã«ã¤ã„ã¦ æ®µéšŽçš„ãªå…¬é–‹ãŒå¿…è¦ã«ãªã£ã¦ã„ã‚‹ã¨ã„ã†è©±

npm

article

security
ãƒªãƒ³ã‚¯
Introducing Phased Package Installations
Every time you run npm install, you're executing arbitrary code from potentially thousands of packages and package authors. "Install scripts" are run automatically, with full access to your system before you've even had a chance to review what's being installed. Unfortunately, this "download anything and run everything" model has been a security blind spot for years; that ends today. Today, we're
efcl 2025/11/24
vltã§ã¯`vlt install`ã¨`vlt build`ã«ã‚³ãƒžãƒ³ãƒ‰ã‚’åˆ†ã‘ã‚‹ã“ã¨ã§ã€ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«æ™‚ã«ã‚¹ã‚¯ãƒªãƒ—ãƒˆã‚’å®Ÿè¡Œã‚’ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã§è¡Œã‚ãªã„ã‚ˆã†ã«ãªã£ã¦ã„ã‚‹è©±

npm

vlt

article
ãƒªãƒ³ã‚¯
npm security update: Classic token creation disabled and granular token changes - GitHub Changelog
npm security update: Classic token creation disabled and granular token changes Editorâ€™s note (November 5, 2025): Weâ€™ve updated this post to explicitly clarify that the affected tokens are npm tokens. Today marks another milestone in our ongoing effort to strengthen npmâ€™s security. As previously announced, weâ€™re implementing the first set of changes to npmâ€™s token management system. Important: The
efcl 2025/11/11
npmã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚¢ãƒƒãƒ—ãƒ‡ãƒ¼ãƒˆã«ã¤ã„ã¦ Classic tokenã®ä½œæˆã‚’ç„¡åŠ¹ã«ã—ã€æ—¢å˜Classic tokenã¯11æœˆ19æ—¥ã¾ã§æœ‰åŠ¹ã«ãªã£ã¦ã„ã‚‹ã€‚ Granular tokenã§writeæ¨©é™ã¯2FAå¿…é ˆåŒ–ã€CI/CDç”¨ã®Bypass 2FAã‚ªãƒ—ã‚·ãƒ§ãƒ³è¿½åŠ ã€writeæ¨©é™ã‚’æŒã¤tokenã¯90æ—¥ã®æœ‰åŠ¹æœŸé™ã¨

npm

security

article
ãƒªãƒ³ã‚¯
GitHub - danielroe/provenance-action: Fail CI when dependencies in your lockfile lose npm provenance or trusted publisher status
efcl 2025/10/12
provenanceãŒè¨å®šã•ã‚Œã¦ã„ãªã„ãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ãŒã‚ã‚‹ã‹ã‚’ãƒã‚§ãƒƒã‚¯ã™ã‚‹GitHub Actions

npm

Github

Actions
ãƒªãƒ³ã‚¯
cleaning house in nx monorepo, how i removed 120 unused deps safely
cleaning house in nx monorepo, how i removed 120 unused deps safely Short version, I ran Knip across our Nx repo, took the â€œunusedâ€ list as a hint, deleted candidates, built, tested, booted apps, and put a few back when they were secretly used. Net, about 120 packages gone. Yarn install dropped by roughly a minute. Fewer CVE nags. Everyone slept better. the situationWe got a chunky Nx monorepo. Ro
efcl 2025/10/08
Knipã‚’ä½¿ã„æœªä½¿ç”¨ã®ãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã‚’å‰Šé™¤ã—ãŸè©±

npm

article
ãƒªãƒ³ã‚¯
GitHub - bodadotsh/npm-security-best-practices: How to stay safe from NPM supply chain attacks
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert
efcl 2025/10/05
npmã®ã‚µãƒ—ãƒ©ã‚¤ãƒã‚§ãƒ¼ãƒ³æ”»æ’ƒã«é–¢ã™ã‚‹ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãƒ—ãƒ©ã‚¯ãƒ†ã‚ã‚¹

npm

security

document
ãƒªãƒ³ã‚¯
Introducing Socket Firewall: Free, Proactive Protection for Your Software Supply Chain
efcl 2025/10/02
npm/yarn/pnpmã€pip/uvã€cargoã«å¯¾å¿œã—ãŸãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«æ™‚ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒªã‚¯ã‚¨ã‚¹ãƒˆã‚’ãƒã‚§ãƒƒã‚¯ã—ã¦ã€ãƒžãƒ«ã‚¦ã‚§ã‚¢æ¤œçŸ¥ã‚’ã™ã‚‹ãƒ„ãƒ¼ãƒ«ã€‚ ãã‚Œãžã‚Œã®ã‚³ãƒžãƒ³ãƒ‰ã®é€šä¿¡ã‚’Proxyã™ã‚‹å½¢ã§å‹•ä½œã—ã€GitHub Actionsãªã©ã®CIã§ã‚‚åˆ©ç”¨ã§ãã‚‹

npm

python

Rust

security

article
ãƒªãƒ³ã‚¯
Strengthening npm security: Important changes to authentication and token management - GitHub Changelog
Strengthening npm security: Important changes to authentication and token management As part of our ongoing commitment to securing the npm ecosystem, weâ€™re implementing the first phase of security improvements outlined in our recent announcement. These changes will roll out over the coming five weeks completing by mid-November 2025 and require action from package maintainers. Weâ€™re taking this pha
efcl 2025/09/30
npmã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãƒãƒ¼ãƒ‰ãƒžãƒƒãƒ—ã€‚ granular access tokensã®æœ€å¤§ã®æœ‰åŠ¹æœŸé™ãŒ90æ—¥ã«å¤‰æ›´ã€classic tokenã‚’å»ƒæ¢ã€TOTPã‚’å»ƒæ¢ã—ã¦ãƒ•ã‚£ãƒƒã‚·ãƒ³ã‚°è€æ€§ãŒã‚ã‚‹MFAã®ã¿ã‚’ã‚µãƒãƒ¼ãƒˆã€‚ 2025å¹´10æœˆã”ã‚ã‹ã‚‰æ®µéšŽçš„ã«é€²ã‚ã¦ã„ãäºˆå®šã¨ãªã£ã¦ã„ã‚‹

npm

article
ãƒªãƒ³ã‚¯
Release v9.0.0 Â· lerna/lerna
9.0.0 (2025-09-23) Bug Fixes publish: ensure README file names are populated on package.json (#4211) (362875d) Features support OIDC trusted publishing (d51e344) OIDC trusted publishing is now supported by Lerna with no specification configuration required. A new guide has been added: https://lerna.js.org/docs/recipes/oidc-trusted-publishing A fully working example repo has been set up here https:
efcl 2025/09/23
lerna v9.0.0ãƒªãƒªãƒ¼ã‚¹ã€‚ OIDCã®ã‚µãƒãƒ¼ãƒˆã€Node.js 18ã®ã‚µãƒãƒ¼ãƒˆçµ‚äº†ã€`@lerna/legacy-package-management`ã®ã‚µãƒãƒ¼ãƒˆçµ‚äº†ãªã©

npm

Tools

ReleaseNote
ãƒªãƒ³ã‚¯
Our plan for a more secure npm supply chain
AI & MLLearn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry. Generative AILearn how to build with generative AI. GitHub CopilotChange how you work with GitHub Copilot. LLMsEverything developers need to know about LLMs. Machine learningMachine learning tips, tricks, and best practices. How AI code generation worksExplore the capabilities and be
efcl 2025/09/23
npmã®ã‚µãƒ—ãƒ©ã‚¤ãƒã‚§ãƒ¼ãƒ³æ”»æ’ƒã«å¯¾ã™ã‚‹npm registry/Githubã®ãƒãƒ¼ãƒ‰ãƒžãƒƒãƒ—ã€‚ Classic Tokenã®å»ƒæ¢ã€publishã‚’MFAé™å®šã€TOTPã®MFAã‚’å»ƒæ¢ã€Granular tokensã§ã®publishã®æœ‰åŠ¹æœŸé™ã‚’çŸãè¨å®šã™ã‚‹ãªã©ã®å¯¾å¿œã‚’ã—ã¦ã„ãã€‚

npm

security

article
ãƒªãƒ³ã‚¯
GitHub - antfu-collective/taze: ðŸ¥¦ A modern cli tool that keeps your deps fresh
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert
efcl 2025/09/21
npmãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã‚’patch/minor/majorã¨ã¾ã¨ã‚ã¦ã‚¢ãƒƒãƒ—ãƒ‡ãƒ¼ãƒˆã™ã‚‹ãƒ„ãƒ¼ãƒ«ã€‚ monorepoã®ãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã«ã‚‚å¯¾å¿œã—ã¦ã„ã‚‹

npm

Tools
ãƒªãƒ³ã‚¯
https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages
efcl 2025/09/20
Shai-Huludã®ãƒžãƒ«ã‚¦ã‚§ã‚¢åˆ†æžã€‚ æ”»æ’ƒå¾Œã®å¾Œå§‹æœ«ã¨ã‹ã‚’ã™ã‚‹ã‚ˆã†ã«æ”¹å–„ã•ã‚Œã¦ã„ã‚‹

npm

security
ãƒªãƒ³ã‚¯
GitHub - AikidoSec/safe-chain: Protect against malicious code installed via npm, yarn, pnpm, npx, and pnpx with Aikido Safe Chain. Free to use, no tokens required.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert
efcl 2025/09/18
`npm`/`npx`/`yarn`/pnpm`/`npx`ã‚³ãƒžãƒ³ãƒ‰ã‚’ä¹—ã£å–ã‚‹å½¢ã§ã€ãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«æ™‚ã«Aikidoã®ã‚¹ã‚ãƒ£ãƒ³ã‚’è¡Œã†ãƒ„ãƒ¼ãƒ«

npm

security
ãƒªãƒ³ã‚¯
npm-follower: A Complete Dataset Tracking the NPM Ecosystem
Software developers typically rely upon a large network of dependencies to build their applications. For instance, the NPM package repository contains over 3 million packages and serves tens of billions of downloads weekly. Understanding the structure and nature of packages, dependencies, and published code requires datasets that provide researchers with easy access to metadata and code of package
efcl 2025/09/18
npmã®ã‚¢ãƒ¼ã‚«ã‚¤ãƒ–ã€‚ãƒžãƒ«ã‚¦ã‚§ã‚¢èª¿æŸ»ãªã©ã«åˆ©ç”¨ã™ã‚‹

npm

security
ãƒªãƒ³ã‚¯
Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages - StepSecurity
Executive SummaryThe NPM ecosystem is facing another critical supply chain attack. The popular @ctrl/tinycolor package, which receives over 2 million weekly downloads, has been compromised along with more than 40 other packages across multiple maintainers. This attack demonstrates a concerning evolution in supply chain threats - the malware includes a self-propagating mechanism that automatically
efcl 2025/09/18
Shai-Hulud ã‚µãƒ—ãƒ©ã‚¤ãƒã‚§ãƒ¼ãƒ³æ”»æ’ƒã€‚ envã‚„Github tokenãªã©ã‚’é›†ã‚ã¦ã€Shai-Huludãƒªãƒã‚¸ãƒˆãƒªã¨ã—ã¦data.jsonã«base64ã‚’2å›žã‹ã‘ãŸå…¬é–‹ã€‚ æ‰€æœ‰ã—ã¦ã‚‹ãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã«å¯¾ã—ã¦è‡ªå‹•çš„ã«ãƒžãƒ«ã‚¦ã‚§ã‚¢ã‚’å…¥ã‚Œã¦å…¬é–‹ã™ã‚‹

npm

security
ãƒªãƒ³ã‚¯
DuckDB NPM packages 1.3.3 and 1.29.2 compromised with malware
The DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of duckdbâ€™s packages that included malicious code to interfere with cryptocoin transactions. The following packages and versions are affected: @duckdb/node-api@1.3.3 @duckdb/[email protected] duckdb@1.3.3 @duckdb/duckdb-wasm@1.29.2 Note: The curr
efcl 2025/09/09
DuckDBã®npmã‚¢ã‚«ã‚¦ãƒ³ãƒˆã®ä¾µå®³ã€‚ 2FAçªç ´å¾Œã«npm tokenã‚’ç™ºè¡Œã—ã¦ã€ãƒžãƒ«ã‚¦ã‚§ã‚¢ã‚’é…å¸ƒ

npm

security
ãƒªãƒ³ã‚¯
npm debug and chalk packages compromised
Starting at September 8th, 13:16 UTC, our Aikido intel feed alerted us to a series packages being pushed to npm, which appeared to contains malicious code. These were 18 very popular packages, backslash (0.26m downloads per week)chalk-template (3.9m downloads per week)supports-hyperlinks (19.2m downloads per week)has-ansi (12.1m downloads per week)simple-swizzle (26.26m downloads per week)color-st
efcl 2025/09/09
`debug`ã‚„`chalk`ãªã©è‘—åãªnpmãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã«ãƒ–ãƒ©ã‚¦ã‚¶ã§å‹•ä½œã™ã‚‹ãƒžãƒ«ã‚¦ã‚§ã‚¢ã‚’å«ã‚€ãƒãƒ¼ã‚¸ãƒ§ãƒ³ãŒå…¬é–‹ã•ã‚ŒãŸå•é¡Œã«ã¤ã„ã¦ã€‚ ç¾åœ¨ã¯npm registryã‹ã‚‰è©²å½“ã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã¯å‰Šé™¤ã•ã‚Œã¦ã„ã‚‹ã€‚ æ¬¡ã®ãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³å½±éŸ¿ã‚’å—ã‘ã¦ã„

npm

security

article
ãƒªãƒ³ã‚¯
Anatomy of a Billion-Download NPM Supply-Chain Attack
efcl 2025/09/09
debugã‚„chalkã®ã‚µãƒ—ãƒ©ã‚¤ãƒã‚§ãƒ¼ãƒ³æ”»æ’ƒã®ãƒžãƒ«ã‚¦ã‚§ã‚¢ã®ã‚½ãƒ¼ã‚¹ã‚³ãƒ¼ãƒ‰

npm

security

article
ãƒªãƒ³ã‚¯
npm Trusted Publishingã§OIDCã‚’ä½¿ã£ã¦ãƒˆãƒ¼ã‚¯ãƒ³ãƒ¬ã‚¹ã§CIã‹ã‚‰npmãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã‚’å…¬é–‹ã™ã‚‹
npm Trusted PublishingãŒ2025å¹´7æœˆ31æ—¥ã«ä¸€èˆ¬å…¬é–‹ã•ã‚Œã¾ã—ãŸã€‚ ã“ã‚Œã«ã‚ˆã‚Šã€OpenID Connect (OIDC)ã‚’ä½¿ã£ã¦npmãƒˆãƒ¼ã‚¯ãƒ³ãªã—ã§CI/CDã‹ã‚‰npmãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã‚’å…¬é–‹ã§ãã‚‹ã‚ˆã†ã«ãªã‚Šã¾ã—ãŸã€‚ npm trusted publishing with OIDC is generally available Trusted publishing for npm packages | npm Docs ã“ã®è¨˜äº‹ã§ã¯ã€npm Trusted Publishingã®ä»•çµ„ã¿ã‚„è¨å®šæ–¹æ³•ã€å®Ÿéš›ã®ãƒªãƒªãƒ¼ã‚¹ãƒ•ãƒãƒ¼ã«ã¤ã„ã¦ç´¹ä»‹ã—ã¾ã™ã€‚ npm Trusted Publishingã¨ã¯ npm Trusted Publishingã¯ã€npmãƒ¬ã‚¸ã‚¹ãƒˆãƒªã¨CI/CDç’°å¢ƒï¼ˆGitHub Actionsã‚„GitLab CI/CDï¼‰ã®é–“ã§OIDCãƒ™ãƒ¼ã‚¹ã®ä¿¡é ¼é–¢ä¿‚ã‚’ç¢ºç«‹ã™ã‚‹ä»•çµ„ã¿ã§ã™ã€‚
efcl 2025/09/08
npm Trusted Publishingã¨OIDCã«ã‚ˆã‚‹ãƒˆãƒ¼ã‚¯ãƒ³ãƒ¬ã‚¹ãªCI/CDã‹ã‚‰ã®npmãƒ‘ãƒƒã‚±ãƒ¼ã‚¸å…¬é–‹ã«ã¤ã„ã¦ã€‚ è¨å®šæ‰‹é †ã€ãƒ–ãƒ©ã‚¦ã‚¶ã§å®Œçµã™ã‚‹ãƒªãƒªãƒ¼ã‚¹ãƒ•ãƒãƒ¼ã€ æ–°è¦/æ—¢å˜/monorepoãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã®é‹ç”¨æ–¹æ³•ã€GitHubã®Protectionã®è¨å®šãªã©ã«ã¤ã„ã¦

npm

security

article
ãƒªãƒ³ã‚¯
GitHub - azu/setup-npm-trusted-publish: Setup npm package for trusted publishing with OIDC
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert
efcl 2025/09/06
OIDCé€£æºã¯å…ˆã«npm registryã«ç™»éŒ²ã—ãªã„ã¨è¨å®šãŒã§ããªã„ã®ã§ã€READMEã ã‘ãŠã„ãŸãƒ‘ãƒƒã‚±ãƒ¼ã‚¸ã‚’ãŠã„ã¦OIDCã®è¨å®šã‚’ã™ã‚‹ãƒ„ãƒ¼ãƒ«

npm

Tools
ãƒªãƒ³ã‚¯
1 2 3 4 5 6 7 8 9 10 æ¬¡ã®ãƒšãƒ¼ã‚¸