Tobie Langel, Open source strategist and Principal at UnlockOpen, joins Chris, Feross, and Amal to discuss recent widespread incidents affecting the JavaScript community (and breaking CI builds) around the globe. Two widely used npm libraries were self-sabotaged by their single maintainer, yet again, highlighting the many gaps in our OSS supply chain security, sustainability and overall practices. We explore all these topics and solution on what our ecosystem needs to be more resilient to these types of attacks in the future.
Changelog++) members save 3 minutes on this episode because they made the ads disappear. Join today!
Sponsors:
Sentry) – Working code means happy customers. That’s exactly why teams choose Sentry. From error tracking to performance monitoring, Sentry helps teams see what actually matters, resolve problems quicker, and learn continuously about their applications - from the frontend to the backend. Use the code CHANGELOG
and get the team plan free for three months.
Changelog++) – You love our content and you want to take it to the next level by showing your support. We’ll take you closer to the metal with no ads, extended episodes, outtakes, bonus content, a deep discount in our merch store (soon), and more to come. Let’s do this)!
Fastly) – Our bandwidth partner. Fastly powers fast, secure, and scalable digital experiences. Move beyond your content delivery network to their powerful edge cloud platform. Learn more at fastly.com)
Featuring:
Show Notes:
Open source developer corrupts widely-used libraries, affecting tons of projects - The Verge)
Sustain OSS | A space for conversations about sustaining open source)
SBOM - Software Bill of Materials (official US Government Site & Docs))
Software Bill of Materials’ — Not just good for security, good for business | The Hill)
Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure / Ford Foundation)
Something missing or broken? PRs welcome!)