
npm and pnpm Introduce Staged Package Publishing
Staged publishing lets you upload to the registry, verify, then promote — reducing supply-chain blast radius. Plus pnpm 11.3 trustLockfile and npm 12 prerelease.

Tag
All blog posts with this tag.

Staged publishing lets you upload to the registry, verify, then promote — reducing supply-chain blast radius. Plus pnpm 11.3 trustLockfile and npm 12 prerelease.

L1 + Redis, single-flight, and graceful degradation — layercache benchmarks against thundering herds.

Sync conversion in HTTP vs a Redis queue: p95 dropped from 800ms to 3.8ms, throughput rose 4.8×—plus the complexity trade-off.

Concatenation, template literals, and innocent-looking sql variables — why reviews miss them and how eslint-plugin-pg catches them statically.

EADDRINUSE on Windows, macOS, and Linux without OS if/else chains. Strategy, Factory, TypeScript contracts, and shell-injection-safe runners.

A huge model-written PR, CLAs, and maintainer burnout — not «anti-AI», but review process for critical infrastructure.

A schema for .env, CI checks, and generated types — catch PORT=abc and empty API_KEY before deploy.

Base64 is not encryption, alg=none, weak secrets, and refresh without rotation — a pre-production checklist for JWT auth.

ignore-scripts, npm ci, provenance, and lockfile review—layered defenses when node_modules holds thousands of transitive packages.

ReDoS, npm supply chain, prototype pollution, secrets in env, and NoSQL injection — a checklist teams often skip after a fast deploy.

Node.js vs Go/Rust throughput and memory, npm risk, and when a single language stack still wins.