Syntax - Tasty Web Development Treats

705: Is Running Random Code From npm Safe? With Feross Aboukhadijeh

Dec 15, 2023

01:07:17

Snipd AI

Feross Aboukhadijeh, developer of Socket, Wormhole, and Web Torrent, joins Wes and Scott to discuss the safety of running random code from npm. They explore Socket's focus on visibility and security, npm spam attacks, managing dependencies with shrink wrap or lock files, implementing web torrent with JavaScript, exploring browser APIs, and the risks of running random code from npm.

AI Summary

Highlights

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Socket.dev helps developers make informed decisions about the security of open source packages they use.

Socket.dev aims to offer comprehensive package information and improve the developer experience.

Socket.dev uses automated scans and human review to proactively identify potential security risks in open source packages.

Deep dives

Socket.dev: A Developer Tool for Open Source Packages

Socket.dev is a developer tool that helps in picking open source packages and understanding their risks. It offers a package browser type tool where users can search for specific packages and get information about their security, maintenance status, and potential risks. Socket.dev conducts thorough scans of packages, looking for signs of malware, suspicious code, and vulnerabilities. It provides developers with a comprehensive understanding of the risk profile of the packages they use, without having to manually inspect each file and dependency. By offering insights into package security, Socket.dev aims to empower developers to make informed decisions about the packages they choose to install.

NaN:NaN

Risk of unmaintained open source packages

01:20

Introduction

3min

Improvements to NPM Website

23min

NPM Spam Attacks and Risks

6min

Managing Dependencies: Shrink Wrap vs. Lock Files

4min

Implementing Web Torrent with JavaScript

23min

Exploring the Possibilities of Browser APIs

3min

Risks of running random code from npm

5min

In this Supper Club episode of Syntax, Wes and Scott talk with Feross Aboukhadijeh about his work on Socket which helps to make sure the code you get from npm is safe and secure. They also touch on his work on Wormhole and Web Torrent.

Show Notes

00:30 Welcome
00:57 Who is Feross Aboukhadijeh?
01:33 What is Socket?
[Socket.dev](https://socket.dev
dominictarr (Dominic Tarr)
pull-stream/pull-stream: minimal streams
03:59 Introducing AI package summaries
Example of the AI summaries
Introducing AI Package Summaries
07:04 Is Socket’s focus on visibility of a open source project?
10:01 What was the inspiration for Socket?
Introducing “safe npm”, a Socket npm Wrapper - Socket
16:22 How does Socket detect possible security issues?
Removed packages
event-source-polyfill protestware attack
john wick spam attack
18:55 How many projects are you injesting for Socket to scan?
26:00 What kinds of things are people trying to inject in code?
CS253 Web Security
29:54 How do I hook Socket up to my project or GitHub?
32:08 Do we still need to use shrink wrap?
36:34 How did you implement the torrent spec in JavaScript for WebTorrent?
WebTorrent Desktop
WebTorrent FAQ
43:11 Why did you build Wormhole?
Wormhole
47:33 How expensive is it to maintain Wormhole?
Riverside.fm - Record Podcasts And Videos From Anywhere
50:37 What do you think of decentralized code repos?
Radicle
Project Fugu
Fugu Tracker
54:29 Understanding passkeys
56:15 Supper Club questions
GitHub Theme - Visual Studio Marketplace
Web Serial API - Web APIs | MDN
01:03:04 Sick Picks

Sick Picks

Harry Potter audio books

Shameless Plugs

ChatGPT

Hit us up on Socials!

Syntax: X Instagram Tiktok LinkedIn Threads

Wes: X Instagram Tiktok LinkedIn Threads

Scott: X Instagram Tiktok LinkedIn Threads

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Syntax - Tasty Web Development Treats

705: Is Running Random Code From npm Safe? With Feross Aboukhadijeh

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Socket.dev: A Developer Tool for Open Source Packages

Improving the Developer Experience with Socket.dev

Addressing the Risks of Open Source Packages and Ensuring Security

Massive Spam Attack with John Wick Packages

Securing NPM and Safe NPM

Risk of unmaintained open source packages

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights

Syntax - Tasty Web Development Treats

705: Is Running Random Code From npm Safe? With Feross Aboukhadijeh

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Socket.dev: A Developer Tool for Open Source Packages

Improving the Developer Experience with Socket.dev

Addressing the Risks of Open Source Packages and Ensuring Security

Massive Spam Attack with John Wick Packages

Securing NPM and Safe NPM

Risk of unmaintained open source packages

Get the Snipdpodcast app

AI-poweredpodcast player

Discoverhighlights

Save anymoment

Share& Export

AI-poweredpodcast player

Discoverhighlights

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights