Dev News: npm Attacks, htmx Updates and Flutter’s Roadmap

A denial of service attack happened briefly after three attackers flooded the npm open source package repository for Node.js with bogus packets, according to Hacker News.

The attackers created malicious websites and published empty packets with links to the websites, “taking advantage of open source ecosystems’ good reputation on search engines,” Checkmarx’s Jossef Harush Kadouri said in a blog post about the attacks.

“The attacks caused a denial-of-service (DoS) that made npm unstable with sporadic ‘Service Unavailable’ errors,” he noted. “The campaigns included a malware infection campaign, a referral scam campaign linked to AliExpress, and a crypto scam campaign targeting Russian users on Telegram.”

The npm is a package manager for JavaScript maintained by npm, Inc. and is also the default package manager for the Node.js.

This was the worst month for attacks on the open source ecosystems in the past year, but March was by far the worst one we’ve seen yet, Kadouri said.

“Typically, the number of package versions released on npm is approximately 800,000,” Kadouri said. “However, in the previous month, the figure exceeded 1.4 million due to the high volume of spam campaigns.”

Htmx Releases Version 1.9.0

This week, htmx released version 1.9.0, which includes support for view transitions and bug fixes, as well as a website migration off 11ty to static site engine Zola.

Htmx is relatively new HTML extension framework designed to simplify web development and shift it away from the single-page application approach. It’s “JavaScript library for “performing AJAX requests, triggering CSS transitions, and invoking WebSocket and server-sent events directly from HTML elements,” according to a 2021 LogRocket blog post. Essentially, htmx lets developers build modern user interfaces with simple markup.

The site underwent a migration to static site engine zola off 11ty, which this announcement noted cut “way down” on the number of development JavaScript dependencies. Besides the site switch and a fixed memory leak, new features include:

• Support for view transitions, which is “based on the experimental View Transitions API currently available in Chrome 111+ and coming to other browsers soon,” the post noted;
• “Support for ‘naked’ hx-trigger attributes, where an hx-trigger is present on an element that does not have an hx-get, etc. defined on it. Instead, it will trigger the new htmx:triggered event, which can be responded to via your preferred scripting solution”; and
• Support for generalized inline event handling via the new hx-on attribute, which the blog post notes will address the shortcoming of limited onevent properties attributes in HTML.

Python Foundation Says EU Acts Could Create Risk for OSS

The Python Foundation is worried that two proposed European Union acts could create risks for open source software.

The foundation stated that while it agrees with the stated goals of the policies of increased security and accountability for European software consumers, it fears the overly broad policies in the Cyber Resilience Act and Product Liability Act “will unintentionally harm the users they are intended to protect.”

“Many modern software companies rely on open source software from public repositories without notifying the author, and certainly without entering into any kind of commercial or contractual relationship with them,” wrote Deb Nicholson, executive director of the Python Foundation. “If the proposed law is enforced as currently written, the authors of open source components might bear legal and financial responsibility for the way their components are applied in someone else’s commercial product.”

Under the current language, the foundation could be potentially liable for any product that includes Python code without have received any monetary gain from these products. That risk of potential costs would make it “impossible in practice for us to continue to provide Python and the Python Package Index to the European public,” she wrote.

She noted that the existing language does not differentiate between independent authors who have never been paid for the supply of software, and big corporations that sell products for end-users.

“We believe that increased liability should be carefully assigned to the entity that has entered into an agreement with the consumer,” Nicholson added.

The Eclipse Foundation and NLnet Labs also have voiced concerns about how these policies could affect global open source projects, she said.

Flutter Framework Roadmap Released

The Flutter team released its roadmap for 2023 this month. Tim Sneath wrote about the news on Medium. Sneath is a project manager and UX director for developer frameworks and languages at Google. That includes overseeing Flutter, which is an open source portable UI framework that gives developers the ability to build apps for any platform from a single codebase.

Flutter builds on Dart, a multiplatform language that enables “cornerstone Flutter features that include stateful hot reload; fast, iterative compilation to native and web; and a thriving package ecosystem,” the documentation states.

The document notes that over the coming years, the framework faces a number of challenges, including migrating the ecosystem to null safety without fragmentation and binding an ecosystem that is self-sustaining.

Still, Sneath writes that the platform has a competitive edge in that it has long focused on developer experience as a fundamental value.

The 2023 investments will focus on six “sub-areas” of developer experience:

1. performance
2. interoperability
3. portability
4. ecosystem
5. security, and
6. fundamentals

Google eventually plans for Flutter to work with Wasm.

Loraine Lawson is a veteran technology reporter who has covered technology issues from data integration to security for 25 years. Before joining The New Stack, she served as the editor of the banking technology site, Bank Automation News. She has...

Read more from Loraine Lawson