@martinwoodward The fact this keeps happening is great for @SocketSecurity, what @feross & team have built is amazing. But surely as an ecosystem we can be doing more to stop this kind of token compromise from even starting. GitHub owns the registry and the majority source of publishes (GHA). .

Who do I need to talk to to make any of these happen @martinwoodward? Heck if you sign me up as a contractor for $1 I'll build some of them for you.

Generate videos in just a few seconds. Try Grok Imagine, free for a limited time.

* Allow npm developers to _advertise_ what level their npm package is secured with (2fa-only, publish-token, any-token). All of these would meaningfully move the needly in both ecosystem and enterprise security for the npm registry.

* Any package published with GHA based provenance _ever_ should require a manual 2FA invention on the first subsequent deploy that does not have provenance.

* Enforce 2FA globally, not just specific accounts.* New tokens should not be allowed to publish till approved via email on the same IP that requested them.

When is GitHub going to step up as the current stewards of npm and enforce 2FA globally. This keeps happening, and the answer is always "developers should enable 2FA" and not "the registry needs to change drastically". There are steps that be taken very quickly to make npm safer.

Is it still a sub tweet if you tweet it early

RT @electronjs: Earlier today, the Electron team was alerted to several recent CVEs filed against an Electron Fuse setting. These reports a….

I don't know who needs to read this, but it isn't remote code execution if you have to run a command in a shell to do it. That's physically local, and in the majority of cases is not a critical CVE. Good reference from the Chrome security team.

Who do I talk to about 500kb of undici taking up 2MB in the node executable. @ArrowoodTech 👀

This is important for anyone building electron apps to read. * Make sure you're up to date.* Don't turn the sandbox off.

RT @JasonEtco: Thinking of starting a YouTube channel in which I review PC cases from the perspective of "cat comfort" - how easy it is to….

M1 Max is gamechanging for people doing excessive amounts of compilation (read "work on Chromium"). My old fully specced out i9 macbook took 23 minutes to build Electron from source (using our distributed build + cache). The M1 Max does the same thing in 9 minutes flat. .

RT @george_xuuu: Browsing in incognito mode at work so when I screen share w my mentor they wont see me googling “how to center a div”.

Today I discovered I've spelled "tenant" wrong in a project for the last 4 years. I think the correct thing to do here is click the "add to dictionary" button 😅

Tracking down the commit I originally wrote some code in, hoping Past Sam left me a clue as to my intentions. I don't know why I even bother anymore 😂

Couple of months of hard work, but we're here and ready for the future of Macs.

RT @eevee: oracle is bustling with excitement and activity as entire boardrooms of executives try to figure out how to charge tiktok users….

This one contains a nice surprise for anyone out there with a DTK.

Fun thing I got working earlier this week. We have launch-able dev builds of @electronjs for Apple Silicon. Decent way to go still but this is great early progress.