So Nerdy Planet #9
Hello, My Fellow Nerds!
This is the last newsletter with issues numbered with only one digit :) And actually one of the last with three digits of subscribers :D Thanks for such amazing trust! Before we start - if you'd like to send news, or provide feedback - please feel free to ping me through dima@sonerdy.me
Today we will speak about:
- NPM ecosystem vulnerability and how it impacts the whole JavaScript stack
- RTO, AI, and interviews. How is it connected?
- New H1B visa policy in the US and how it can impact tech companies
NPM ecosystem vulnerability
A couple of years ago, if you wanted to launch a startup, the tech stack was obvious - JavaScript / TypeScript. And it is making so much sense: you can write backend and frontend parts of your solution using the same language, meaning that you don't need to have such wide expertise. Of course, writing backend and frontend requires different skill sets, but at least you can make it easier to become a full-stack engineer ( well, someday we will specify what it means )
But now, when the tech stack is selected, there is a new issue to think about - npm vulnerability. If you think, for the last month, there were two big supply chain attacks:
- The developer account that was maintaining popular open-source maintainer Qix- was compromised. That included access to popular repos like chalk or color-convert. These packages are used in tons of other packages that rely on them. Code injected into dependent packages tried to steal crypto. JFrog mentioned that it was probably one of the biggest npm compromises in history:
We've been tracking what appears to be the largest npm compromise in history over the past 24 hours, and it's still unfolding.
The potential blast radius of compromised packages was reaching nearly 34% of all NPM packages.