The OpenJS Security Collaboration Space has been working closely with GitHub’s npm team to understand how new security features affect projects and maintainers, especially as threats and tools keep evolving.
This month we tackle secure npm publishing, roll out a major security overhaul for Lodash, and continue the Express release train. Plus, updates on Node.js VFS and a new security guide for open source maintainers.
This month brought a new talk, a deep dive into secure publishing, key Express releases, OSSF Scorecard updates, and several ecosystem improvements around security and governance.
Another wave of Shai-Hulud campaign has hit npm with more than 500 packages and 700+ versions affected.
A post by Zach Leatherman (zachleat)
Why doesn't npm detect compromised packages the way credit card companies detect fraud?