March 5, 2025  |
Subject: Trust in JS supply chain; sync vs. async code; JIT vulnerabilities; parseInt() and keycap emojis; V8 performance improvement; Node Modules Inspector; object hashing; key-value storage API |
Secure your JavaScript dependencies.socket.dev Sponsor Open source code makes up 90% of most codebases. Socket detects what traditional vulnerability scanners can’t, including 70+ indicators of open source supply chain risk like malware, typosquatting, hijacked packages, obfuscated code, privileged APIs, and more. Install our free GitHub app today to instantly enable protection on all updates and new dependencies added in PRs. |
|
Reproducibility vs. provenance: trusting the JavaScript supply chainblog.vlt.sh @darcy@fosstodon.org “Enter reproduce, a new open-source tool designed to independently verify whether a published npm package can be faithfully rebuilt from its declared source. Unlike provenance systems that merely associate a package with a build environment (which can be ephemeral and manipulated), reproduce goes a step further—empirically testing whether the package metadata actually corresponds to its purported source.” |
|
|
|
|
Turbocharging V8 with mutable heap numbersv8.dev “[...] we recently revisited the JetStream2 benchmark suite to eliminate performance cliffs. This post details a specific optimization we made that yielded a significant 2.5× improvement in the async-fs benchmark, contributing to a noticeable boost in the overall score. The optimization was inspired by the benchmark, but such patterns do appear in real-world code.” |
|
|
|
|
|
| |
This email was sent to {{ email | default }}. You can unsubscribe from this list here or update your preferences. |
| |