Syntax - Tasty Web Development Treats cover image

705: Is Running Random Code From npm Safe? With Feross Aboukhadijeh

Syntax - Tasty Web Development Treats

Managing Dependencies: Shrink Wrap vs. Lock Files

4min Snip

00:00

Play full episode

Summary

Transcript

Episode notes

Exploring the differences between shrink wrap and lock files in managing dependencies, with a focus on the advantages of lock files in ensuring reproducibility and the limitations they pose in scenarios like resolving merge conflicts. The chapter also discusses the risks of not pinning code from GitHub to specific commits and highlights the importance of security when integrating external code.

In this Supper Club episode of Syntax, Wes and Scott talk with Feross Aboukhadijeh about his work on Socket which helps to make sure the code you get from npm is safe and secure. They also touch on his work on Wormhole and Web Torrent.

Show Notes

00:30 Welcome
00:57 Who is Feross Aboukhadijeh?
01:33 What is Socket?
[Socket.dev](https://socket.dev
dominictarr (Dominic Tarr)
pull-stream/pull-stream: minimal streams
03:59 Introducing AI package summaries
Example of the AI summaries
Introducing AI Package Summaries
07:04 Is Socket’s focus on visibility of a open source project?
10:01 What was the inspiration for Socket?
Introducing “safe npm”, a Socket npm Wrapper - Socket
16:22 How does Socket detect possible security issues?
Removed packages
event-source-polyfill protestware attack
john wick spam attack
18:55 How many projects are you injesting for Socket to scan?
26:00 What kinds of things are people trying to inject in code?
CS253 Web Security
29:54 How do I hook Socket up to my project or GitHub?
32:08 Do we still need to use shrink wrap?
36:34 How did you implement the torrent spec in JavaScript for WebTorrent?
WebTorrent Desktop
WebTorrent FAQ
43:11 Why did you build Wormhole?
Wormhole
47:33 How expensive is it to maintain Wormhole?
Riverside.fm - Record Podcasts And Videos From Anywhere
50:37 What do you think of decentralized code repos?
Radicle
Project Fugu
Fugu Tracker
54:29 Understanding passkeys
56:15 Supper Club questions
GitHub Theme - Visual Studio Marketplace
Web Serial API - Web APIs | MDN
01:03:04 Sick Picks

Sick Picks

Harry Potter audio books

Shameless Plugs

ChatGPT

Hit us up on Socials!

Syntax: X Instagram Tiktok LinkedIn Threads

Wes: X Instagram Tiktok LinkedIn Threads

Scott: X Instagram Tiktok LinkedIn Threads

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.

App store banner

Play store banner

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode