In a surprising move, the popular open source project, SheetJS aka "xlsx," has dropped support for the npm registry. Downloaded about 1.4 million times weekly on npm, SheetJS is relied upon by NodeJS ...

Microsoft is acquiring Node package manager npm Inc., officials announced on March 16. (Neither company is sharing the purchase price.) Microsoft plans to integrate GitHub with npm with the intent of ...

This week, one programmer broke a whole mess of the software the internet runs on by deleting one simple program consisting of 11 lines of code. Everything is OK now. But it's a strange case that ...

以色列研究员发现npm和yarn平台存在六个零日漏洞，攻击者可绕过去年11月Shai-Hulud蠕虫攻击后推荐的防御措施。这些名为PackageGate的漏洞能够绕过禁用生命周期脚本和锁文件完整性检查两项关键防护。目前pnpm、vlt和Bun平台已修复相关漏洞，但npm和yarn尚未处理。研究员建议JavaScript开发者转向已修复漏洞的平台，并保持包管理器及时更新。

Attackers are exploiting a major weakness that has allowed them access to the NPM code repository with more than 100 credential-stealing packages since August, mostly without detection. The finding, ...

Over the holidays, the npm package registry was flooded with more than 3,000 packages, including one called "everything," and others named a variation of the word. The package is quite aptly named as ...

Amazon researchers discovered more than 150,000 malicious packages in the NPM registry, in what they called "a defining moment in supply chain security." The packages were part of a token farming ...