Isn't It Time to Fork a Package?

Tobie Langel, Open source strategist and Principal at UnlockOpen, joins Chris, Feross, and Amal to discuss recent widespread incidents affecting the JavaScript community (and breaking CI builds) around the globe. Two widely used npm libraries were self-sabotaged by their single maintainer, yet again, highlighting the many gaps in our OSS supply chain security, sustainability and overall practices. We explore all these topics and solution on what our ecosystem needs to be more resilient to these types of attacks in the future.

Join the discussion

Changelog++ members save 3 minutes on this episode because they made the ads disappear. Join today!

Sponsors:

• Sentry – Working code means happy customers. That’s exactly why teams choose Sentry. From error tracking to performance monitoring, Sentry helps teams see what actually matters, resolve problems quicker, and learn continuously about their applications - from the frontend to the backend. Use the code CHANGELOG and get the team plan free for three months.
• Changelog++ – You love our content and you want to take it to the next level by showing your support. We’ll take you closer to the metal with no ads, extended episodes, outtakes, bonus content, a deep discount in our merch store (soon), and more to come. Let’s do this!
• Fastly – Our bandwidth partner. Fastly powers fast, secure, and scalable digital experiences. Move beyond your content delivery network to their powerful edge cloud platform. Learn more at fastly.com

Featuring:

• Tobie Langel – Website, GitHub, X
• Amal Hussein – GitHub, X
• Feross Aboukhadijeh – Website, GitHub, X
• Christopher Hiller – Website, GitHub, Mastodon, X

Show Notes:

• Open source developer corrupts widely-used libraries, affecting tons of projects - The Verge
• Tobie’s tweet thread on this self-sabotage
• Tobie’s talk on OSS Sustainability
• Working in Public | A book by Nadia Eghbal
• Four types of OSS projects mentioned in Nadia’s book
• Renovate | A Dependency Management Bot
• Dependabot | Another OSS Dependency Bot
• Sustain OSS | A space for conversations about sustaining open source
• Tidelift
• SBOM - Software Bill of Materials (official US Government Site & Docs)
• Software Bill of Materials’ — Not just good for security, good for business | The Hill
• Executive Order on Improving the Nation’s Cybersecurity
• Tidelift’s SBOM generation service
• Popular NPM package UA-Parser-JS poisoned with cryptomining, password-stealing malware | The Daily Swig
• Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure / Ford Foundation
• Socket (Security project that Feross is working on)
• Does open source need its own Priority of Constituencies?
• Unlock Open
• who accused me of co-founding npm

Something missing or broken? PRs welcome!