今日已更新 339 条资讯 | 累计 19899 条内容
关于我们

标签:#npm

找到 11 篇相关文章

AI 资讯

We Open-Sourced 42 Construction Calculators — Here's Why

I run EstimatorSuite.com — we review construction estimating software for US contractors (HVAC, electrical, plumbing, roofing, landscaping). We just open-sourced our entire calculator suite: 42 construction calculators under MIT license. React + TypeScript + Tailwind. 🔗 Repo 🔗 Live Demo 🔗 npm What's included: • 36 material calculators (concrete volume, roofing squares, drywall, paint, flooring, etc.) • 6 trade estimators (HVAC load, electrical conduit fill, plumbing pipe sizing) Two entry points: → React components — drop into any project → Pure calculation functions — zero UI dependency, works in Node.js, Vite, Next.js, anywhere Why we built this: Construction software is expensive. Contractors told us they needed free tools that actually work — not ad-filled spreadsheets. So we built them, and we open-sourced them. Full story →

2026-07-14 原文 →
AI 资讯

They Asked for My AI Rules. But I Could Not Just Hand Them Over.

A team lead announces that the team will start using AI-assisted development. Everyone nods. Nobody asks what that actually means on Monday morning. Some times ago I was in that position. A project I was working on needed to start using AI-assisted development, and the team was new to it. Nobody had rules written down for an agent to follow. Nobody had skills defined for it to load. There was no shared idea of how this should work inside our specific repo. Someone had to go first. That someone was me. The rules worked because I built them for one repo I spent time curating a set of rules and skills for that project. Not generic ones. I shaped them tightly around how that repo was actually structured, its conventions, its layout, the things a new engineer usually has to learn by asking around. I wanted an agent working inside that codebase to already know what a human teammate would have picked up in the first two weeks. I gave a demo. It landed well. Well enough that it got shared further across team, as something other teams could learn from. I gave the demo again. Same reaction. Then a few developers reached out for the actual rules and skills files. I said sure, and then I actually looked at what I would be handing them. The problem showed up the moment other people wanted in It was not copy-paste-able. The rules referenced folder names, module boundaries, and patterns specific to one repo. Handing them over as-is would have meant handing over advice that was wrong for their project, dressed up as a shortcut. So I told them to use it as a reference. Look at the structure, understand the reasoning, adapt it to your own repo. That is correct advice. I watched people nod at it and then quietly missing it. I was solving the wrong problem the whole time I had been thinking about this as a documentation problem. Write good rules, explain them well, let people copy the idea. What I actually had was a generation problem. The rules that worked were the ones rendered speci

2026-07-14 原文 →
AI 资讯

10 Useless NPM Packages You Didn't Know You Needed

We have all been there. You are staring at your screen late at night, trying to optimize a bundle size, or debugging an enterprise pipeline that has been failing for three hours straight. The mainstream development community constantly tells us to only install packages that are high performance, audited for security, and strictly necessary for production. But where is the fun in a perfectly clean node_modules folder? Sometimes, the ultimate way to level up your engineering workflow is to inject some absolute chaos into your dependencies. Why spend hours writing robust logic when you can install a library that brings pure irony to your terminal? Let us dive into ten packages that might look completely useless on the surface but are actually the most important modules you will ever encounter in your developer journey. 1. emoji-poop This NPM package lets you use the poop emoji in your output. The emoji is well required in most of the websites as the real fun begins when the site crashes and you can use this poop emoji to showcase the errors with an emoji. This will help the clients get a bit calm after seeing the emoji and the errors. Think about it from a psychological perspective: traditional red stack traces cause immediate client panic, but a well-placed graphical poop emoji introduces a masterclass in modern error mitigation. javascript // npm i emoji-poop const emoji = require('emoji-poop'); console.log(emoji) // 💩 2. thanos-js Who doesn't love Marvel, and Thanos being the strongest villain in the MCU? This package lets you delete files in Thanos fashion. Once you install and run it, it deletes 50% of your files, reducing your stress and giving you less codebase to work with. Yes, it deletes the files for those who are confused about what this package does. It uses fs.unlinkSync to delete the files. Deleting random files from .git would be absolutely evil, and Thanos would love to do it. Exactly half of the files are deleted. Each file is given a chance at random

2026-07-09 原文 →
AI 资讯

CI is the wrong place to first hear about your npm dependencies

Your CI catches the npm vulnerability. Your developer is already three branches away and one standup behind. The package is installed, the lockfile regenerated, the import wired into a service, and the human who made that decision did it on a Tuesday afternoon with a tab open to Stack Overflow. Now the scanner is yelling. From the terminal, that is not security. That is grief counseling. That is the frame Sonu Kapoor lays out in a DevOps.com essay this week, and the engineering bones of it are correct. A scanner is not a gate. It is a status check. Kapoor's argument is about feedback loops. A developer installs, codes, commits, pushes. Only then does CI run. By the time the finding surfaces, the decision to add the package, and the context for why, has evaporated. So has the lockfile churn that caused it. What started as "is this package safe?" becomes "fix this in a different sprint." The scanner did its job. The fix is now a project. He backs it with a small case study from the NestJS repo: a scan of package-lock.json returned 1,626 resolved packages and 25 vulnerabilities. Of those, 12 were directly fixable. Thirteen were transitive, buried in upstream graphs, waiting on someone else's release. In a pipeline-first workflow, every dependency hop is a separate commit and a separate run. (Multiply by the number of services your team owns. Then by your runner-minutes budget. Send me the bill.) The arithmetic gets ugly quickly. A single lockfile with more than fifteen hundred resolved packages is not exotic for a working Node app, it is the default. The chance that the first time anyone looks at that graph is during a pipeline run, after the merge intent is already in the reviewer's queue, is the structural bug. Where the essay is right, and where it gets too tidy Concede the obvious. CI is not the problem. CI is fine. It runs uniformly, it cannot be skipped, and it is the right place to fail a build when an OSV record drops mid-week against a dependency that was clea

2026-06-29 原文 →
AI 资讯

The New Standard for NPM Package Discovery: Deep Dive into LibPilot

As web developers, engineering workflows are heavily dependent on the NPM registry. However, the traditional process of searching, auditing, and integrating packages remains highly fragmented. Developers are routinely forced to hop between npmjs.com, GitHub source repositories, and external documentation tabs simply to verify bundle sizes, check dependency trees, or generate setup boilerplate. Following a strong reception on LinkedIn, X, and Facebook, the Motion Mind Team has introduced LibPilot to the dev.to community. LibPilot is not a traditional registry interface; it is an AI-powered search engine and discovery hub engineered to index, track, and analyze over 4,000,000 NPM packages in real time. Here is an architectural breakdown of how LibPilot restructures package exploration for modern developers and autonomous AI code agents. Intent-Based Discovery and Global Search Architecture Traditional search engines require users to input the exact name or strict keyword of a library. LibPilot introduces a dual-input architecture on its home page to eliminate this constraint: Direct Registry Querying: Users can input full or partial package names into the global search bar to instantly surface clean, structured, and typed suggestions directly from the live NPM ecosystem database. Contextual AI Recommendations: For scenarios where the ideal package is unknown, developers can type out a complete description of their project architecture or system constraints (for example: "a lightweight, typed state management engine that handles server-side rendering natively"). LibPilot's internal AI agent processes the functional requirements and suggests production-ready libraries suited for that stack. Continuous Context AI and Interactive Onboarding A core goal of the platform is reducing developer friction and maintaining deployment momentum. LibPilot transitions static package documentation into an interactive environment: Unlimited AI Chat Architecture: Once a library is select

2026-06-24 原文 →
AI 资讯

I built a CLI that generates .env files so I never read docs again

# EnvForge BETA v1.1 ⚡ Structured .env scaffolding for modern applications. Generate, validate, and protect environment variables for 14+ services – without ever opening a docs page. Github repo [ https://github.com/Jos3456/envforge ] NPM version (https://img.shields.io/npm/v/envforge-dev) MIT License (https://img.shields.io/badge/License-MIT-yellow.svg) ## Installation bash npm install envforge-dev **Requirements:** Node.js 18 or later. --- **## Quick Start** bash # 1. Generate an .env file and choose your providers envforge init # 2. Fill in your actual credentials envforge fill # 3. Check everything is set correctly envforge validate ## All Commands ### Scaffolding Command What it does envforge init Create a new .env by selecting providers interactively envforge add <provider> Add variables from a specific provider to your existing .env envforge preset Generate a .env from a popular stack preset envforge example Create a safe‑to‑commit .env.example file envforge fill Interactively enter values (secret keys are masked) envforge list Show all built‑in and custom providers ### Guardrails Command What it does envforge validate Check that all required variables are filled in envforge scan Detect secret keys accidentally exposed in frontend code envforge hook install Install a pre‑commit hook that runs validate + scan ### Customisation Command What it does envforge provider add Create a custom provider template envforge registry update Download the latest providers from the community registry ## Built‑in Providers Category Providers Database Supabase, Neon, MongoDB Atlas Auth Clerk, Auth0, Firebase AI OpenAI, Anthropic (Claude) Payments Stripe Email Resend, SendGrid Storage Cloudinary, AWS S3 / Cloudflare R2 Other Vercel Missing a provider? Add your own with envforge provider add or contribute one to the community. ## Framework‑Aware Scanning Use --framework for smarter detection: # Next.js specific rules (app/ vs pages/, "use client") envforge scan --framework next Th

2026-06-18 原文 →
AI 资讯

How I Built the Two Missing Payload CMS v3 Plugins — Reviews, JSON-LD & Real Production Bugs

Running 23 European e-commerce shops on Payload CMS v3 taught me that some things simply don't exist yet. So I built them. Background I maintain a multi-clone e-commerce infrastructure — 23 Next.js + Payload CMS v3 shops deployed across Europe, each on its own subdomain and language. Think fr.myshop.com , de.myshop.com , sk.myshop.com ... all running on the same codebase with country-specific patches. While building this, I kept running into two missing pieces that no one had published for Payload v3: A customer reviews system with admin moderation and Google star ratings Complete Schema.org JSON-LD for Google rich snippets (Product, BreadcrumbList, ItemList, AggregateRating) Both are now published on npm. Here's what I built, the bugs I hit, and how I solved them. Part 1 — The Reviews Plugin What didn't exist Search npm for payload reviews or payload ratings — you'll find nothing for v3. The official plugin ecosystem covers SEO, forms, redirects, Stripe... but not customer reviews. Building the collection The reviews collection itself is straightforward — relationship to products , rating (1-5), status select (pending/approved/rejected), author fields. The tricky parts came later. Access control gotcha: Payload v3 uses a roles array, not a role string. This breaks if you copy v2 patterns: // ❌ Wrong — always returns false update : ({ req }) => req . user ?. role === ' admin ' , // ✅ Correct for v3 update : ({ req }) => req . user ?. roles ?. includes ( ' admin ' ), Prevent self-verification: Users can POST any field on create: () => true collections. Lock verified in a beforeChange hook: hooks : { beforeChange : [ ({ data }) => { if ( ! data . status ) data . status = ' pending ' data . verified = false // admin-only, always reset on create return data }, ], }, Email protection: read: () => true on the collection exposes authorEmail in the public API. Add field-level access: { name : ' authorEmail ' , type : ' email ' , access : { read : ({ req }) => req . user ?.

2026-06-16 原文 →
AI 资讯

Scarab Field Test #021 — pnpm Self-Upgrade No-Manifest Boundary

Target: pnpm/pnpm Issue: pnpm/pnpm#12240 PR: pnpm/pnpm#12301 Public branch: https://github.com/scarab-systems/pnpm/tree/fix/deps-status-no-manifest Latest pushed commit: cb68ac1af0dcffbe4fb607a10b0df2046d2490ba This field test targeted a pnpm command-routing failure where pnpm self-upgrade could fail outside a project directory with: ERR_PNPM_NO_PKG_MANIFEST The issue looked simple at the surface: a global/self command should not require a project manifest just because the current working directory is not inside a package. But the repair boundary was more specific than “ignore missing manifest.” The problem was in the dependency-status verification path. When dependency status was unavailable because there was no project manifest, the command could fall through into the auto-install path. That made a self-upgrade/global-style command behave as if it needed a local project manifest. Failure shape The failing behavior was: pnpm self-upgrade run outside a project directory dependency status cannot be established from a project manifest the command path falls into install/manifest expectations result: ERR_PNPM_NO_PKG_MANIFEST That is the wrong ownership boundary. A self-upgrade command should not inherit project-manifest preconditions when there is no local project context. Boundary The boundary here is: global/self command execution versus project dependency-status verification Dependency-status verification can be useful when a command is operating inside a project. But when there is no project manifest and the command is not recursive/all-projects, “dependency status unavailable” should not automatically mean “try to auto-install project dependencies.” There are two different cases: Dependency status is unavailable because there is no project manifest. Dependency status is unexpectedly unavailable even though a root project manifest exists. Those cases should not behave the same. The repair preserves that distinction. What changed The patch updates: exec/commands/src

2026-06-10 原文 →
AI 资讯

Microsoft's npm Packages Got Backdoored. Again. And AI Agents Pulled the Trigger.

73 cryptographically signed npm packages from Microsoft were compromised last week with advanced credential-stealing malware that fires the moment a developer opens one in an AI coding agent. Claude Code, Gemini CLI, Cursor, VS Code — all trigger it. It's the second supply-chain attack in two months against the same Microsoft account. "The genius of this Miasma worm lies in how it adhered to legitimate workflows. It does not exploit any software vulnerability in GitHub or npm. Instead, it exploits the underlying trust model of the modern engineering ecosystem." — Cloudsmith What actually changed 73 official Microsoft npm packages were poisoned with the Miasma worm — a clone of TeamPCP's open-sourced Mini Shai-Hulud toolkit Malware executes automatically when any of the 73 packages are opened inside an AI coding agent The payload (28 KB) harvests credentials from AWS, Azure, GCP, Kubernetes, 90+ dev tool configs, and password managers , then spreads laterally through cloud infrastructure Attack vector: stolen Microsoft publisher credentials → bypasses the build pipeline entirely → malicious build published with valid SLSA provenance attestation Each infection gets a uniquely encrypted payload — meaning hash-based IOCs are useless for detection GitHub initially flagged packages as "terms of service violations" rather than malware; Microsoft only acknowledged possible malicious content 48 hours later The same Microsoft account was compromised in May 2026 (durabletask Python SDK on PyPI, 400k downloads/month) — and apparently wasn't fully remediated Why this one stings The supply-chain attack playbook has levelled up. SLSA provenance — the framework designed to give you cryptographic confidence that a package came from a legitimate build — was used against you here. Attackers stole a legitimate Microsoft OIDC token, published a malicious build with real provenance, and conventional scanners waved it through as a routine trusted update. The AI agent angle makes it worse.

2026-06-10 原文 →