How to Warn Developers About Dangerous Packages Before They Install Them

Feross and his team at Socket recently shipped a wrapper library for the ubiquitous npm package manager’s command-line interface that brings enhanced security when you need it most: before executing any code

Bradly Farias lead this effort, so Jerod & Chris invited him on the show to learn all about it.

Join the discussion

Changelog++ members save 3 minutes on this episode because they made the ads disappear. Join today!

Sponsors:

• Fastly – Our bandwidth partner. Fastly powers fast, secure, and scalable digital experiences. Move beyond your content delivery network to their powerful edge cloud platform. Learn more at fastly.com
• Fly.io – The home of Changelog.com — Deploy your apps and databases close to your users. In minutes you can run your Ruby, Go, Node, Deno, Python, or Elixir app (and databases!) all over the world. No ops required. Learn more at fly.io/changelog and check out the speedrun in their docs.
• Changelog News – A podcast+newsletter combo that’s brief, entertaining & always on-point. Subscribe today.
• KBall Coaching – Free exploratory coaching sessions from JS Party co-host KBall! Click here to get started

Featuring:

• Bradley Meck Farias – GitHub, LinkedIn, Mastodon, X
• Jerod Santo – GitHub, LinkedIn, Mastodon, X
• Feross Aboukhadijeh – Website, GitHub, X
• Christopher Hiller – Website, GitHub, Mastodon, X

Show Notes:

• Introducing “safe npm”
• Source code on GitHub

Something missing or broken? PRs welcome!