Tootfinder

Node.js devs, so picture this: you run `npm install` and you get a bunch of packages with audit errors.
The only thing I want to know at that point is what’s the root package that these dependencies belong to? (Running npm audit fix is a last resort as I don’t like it fiddling around with the dependencies of nested packages.)
It’s also not a straightforward thing to do, but it’s nothing jq and a bit of piping can’t fix:
```bash
npm audit --json | jq -r '.vulnerabil…

And that's a wrap - the newly refreshed laptop has been handed over to teen with most of the packages functional. Thanks for following along on this @… installation journey with me and thanks to all #linux maintainers, forum contributors and FOSS advocates around keeping the system running.
👏 WE REALLY APPRECIATE YOU!👏
The final judgement won't be clear until Monday when the first log in at school happens but hopefully it will be successful, or the IT support is going to have to deal with some very salty comments (from me).
16/16
FIN

#ReleaseWednesday — Thanks to a user suggestion, I've added support for declarative canvas pixel density adjustments in the following packages:
- https://thi.ng/hiccup-canvas
-

Hiccup shape tree renderer for vanilla Canvas 2D contexts

Furloughed federal employee delivering food, packages in Massachusetts during shutdown to pay bills - CBS Boston
https://www.cbsnews.com/boston/news/furloughed-federal-employee-delivering-food-shutdown/

»Over 67,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack:
Cybersecurity researchers are calling attention to a large-scale spam campaign that has flooded the npm registry with thousands of fake packages since early 2024 as part of a likely financially motivated effort.«
How do you check if the JavaScript libraries and their libraries on which they are based are now safe?!??
🧑‍💻

Over 46,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack
A mysterious npm worm published 46K fake packages in a two-year spam campaign, exposing major security gaps.

PSA for users of #Fedora Linux 41 and 42:
The jump from #Linux 6.16.y to 6.17.y will soon happen in updates-testing; a few days later the new #kernel series will become a regular update.

Don't forget to upgrade your downgrade!
#endeavourOS #linux #pacman

@… historically, I relied upon on fetching packages before a dry run. As far as I recall, this always allowed the dry run to tell the truth – the complete truth – about what would be removed, and so on.
More recent results – technology preview – were thought-provoking. From <

So am I understanding this correctly that the upcoming NPM authentication and token changes mean our only publishing workflow options henceforth are either switching to OICD Trusted Publishing[1] via GitHub Actions or using granular access tokens. The problem with the former is that I wanted to migrate my projects to Codeberg soon (which isn't supported). The problem with the latter is that granular tokens are unsuitable for publishing packages from a large monorepo, since these tokens a…

thi.ng/umbrella

@… thanks.
I had the same thought about persistence of non-automatic packages in my very early days (probably with PC-BSD, around a decade ago, before TrueOS), but soon discovered that sometimes:
― accepting an upgrade will remove a required package.
It took years for me to come close to a full understanding of the multi-layered causes of remo…