Introducing auto-triage rules for Dependabot
ProductSecurityIntroducing auto-triage rules for DependabotMake quick work of alerts with preset and custom rules. Since the May beta release of our GitHub-curated Dependabot policies that detect and close false positive alerts, over 250k repositories have manually opted in, with an average improvement of over 1 in 10 alerts. The impact so far: auto-dismissal of millions of alerts that would have
Security alert: social engineering campaign targets technology industry employees
SecuritySecurity alert: social engineering campaign targets technology industry employeesGitHub has identified a low-volume social engineering campaign that targets the personal accounts of employees of technology firms. No GitHub or npm systems were compromised in this campaign. We’re publishing this blog post as a warning for our customers to prevent exploitation by this threat actor. GitHub has
Why we're excited about the Sigstore general availability
Open SourceSecurityWhy we’re excited about the Sigstore general availabilityThe Sigstore GA means you can protect your software supply chain today with GitHub Actions, and will power new npm security capabilities in the near future. Sigstore is a powerful new technology for signing, verifying, and protecting software supply chains, and we’re very excited by today’s general availability announcemen
dependency-cruiser-report-actionでPRの変更ファイルの依存関係を可視化してコメントする
この記事は、筆者が制作したGitHub Actions向けCustom actionであるdependency-cruiser-report-actionを紹介する記事です。 JavaScript / TypeScriptのプログラムではexportによりモジュールとして分割しimport(require) で読み込むことができますが、一度exportで公開してしまうとプロジェクト内のどこからでも読み込むことができてしまいます。 無秩序にimportを増やして依存関係が複雑になるとモジュール間は密結合になります。1つの小さな変更が大規模な障害に発展したり、変更をリリースするまでのリードタイムは伸びていくなどの悪循環に陥ります。 プロダクトを安全にメンテナンスし続けるためにはこの「依存」と立ち向かうことになります。 立ち向かうためのアプローチとしてはフレームワークによる規約の利用、SOLID
GitHub Advisory Database now powers npm audit
ProductSecurityGitHub Advisory Database now powers npm auditToday, we’re adding a proxy on top of the GitHub Advisory Database that speaks the `npm audit` protocol. This means that every version of the npm CLI that supports security audits is now talking directly to the GitHub Advisory Database. Supply chain security is one of the most important parts of software development today, and we want to
GitHub Actions: Setup-node supports dependency caching for projects with monorepo and pnpm package manager
GitHub Actions: Setup-node supports dependency caching for projects with monorepo and pnpm package manager actions September 7, 2021 You can now use setup-node action to cache dependencies for projects with monorepo and pnpm package manager. Use the optional cache-dependency-path field to specify the path to dependency file(s). steps: - uses: actions/checkout@v2 - uses: actions/setup-node@v2 with:
The npm registry is deprecating TLS 1.0 and TLS 1.1
ProductThe npm registry is deprecating TLS 1.0 and TLS 1.1Beginning October 4, 2021, all connections to npm websites and the npm registry, including for package installation, must use TLS 1.2 or higher. Beginning October 4, 2021, all connections to npm websites and the npm registry—including for package installation—must use TLS 1.2 or higher. GitHub is committed to ensuring the security of our se
オリジナルのJavaScriptライブラリを公開しよう
オリジナルのJavaScriptライブラリを公開します! ライブラリの作り方よりかは、実際に公開する手順やCI/CDについて解説します。 【技術】 ・ JavaScript ・ Node.js ・ npm/yarn ・ Mocha ・ Chai ・ Git/GitHub ・ GitHub Actions
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
pnpm: support needed for its new v9 lockfile format · Issue #9522 · dependabot/dependabot-core
Unlocking security updates for transitive dependencies with npm | The GitHub Blog
Connecting a repository to a package - GitHub Docs
Improved account recovery flow in case of a lost 2FA device
Socket - Secure your dependencies. Ship with confidence.
feat: transitiveRemediation by rarkins · Pull Request #8883 · renovatebot/renovate
private な npm パッケージを Dockerfile でインストールして GitHub Actions でビルドする
GitHub - JS-DevTools/npm-publish: GitHub Action to publish to NPM
npm public roadmap · npm/roadmap
npm/feedback · Discussions
GitHub - mjswensen/shoulders: 💛 Quickly view a list of your dependencies' open issues.
GitHub - orta/monorepo-deploy-nightly: Deploys npm projects, vscode extensions on a nightly basis if it has changed