Security Researchers Spot 150,000 Function-less npm Packages in Automated ‘Token Farming’ Scheme
An anonymous reader shared this report from The Register:

Yet another supply chain attack has hit the npm registry in what Amazon describes as “one of the largest package flooding incidents in open source registry history” — but with a twist. Instead of injecting credential-steal … ⌘ Read more

The average Australian wedding is $34,000. Polly and Riley’s choice starts at $480
In a year when Jeff Bezos’ wedding was slammed for its excess, registry weddings are on the rise. ⌘ Read more

The US Do Not Call registry is offline
Comments ⌘ Read more

How to find, install, and manage MCP servers with the GitHub MCP Registry
Learn how to bring structure and security to your AI ecosystem with the GitHub MCP Registry, the single source of truth for managing and governing MCP servers.

The post How to find, install, and manage MCP servers with the GitHub MCP Registry appeared first on … ⌘ Read more

Announcing ORAS v1.3.0: Elevating artifact and registry management workflows
The ORAS community is thrilled to announce the release of ORAS CLI v1.3.0, a version packed with stability improvements and pioneering capabilities. In addition to strengthening existing functionality, this release introduces three major new features designed… ⌘ Read more

Our plan for a more secure npm supply chain
Addressing a surge in package registry attacks, GitHub is strengthening npm’s security with stricter authentication, granular tokens, and enhanced trusted publishing to restore trust in the open source ecosystem.

The post Our plan for a more secure npm supply chain appeared first on The GitHub Blog. ⌘ Read more

Jojojo man kan hæve længdebegrænsningen. Men MSVC’s FileTracker dims respekterer ikke registry, og fejler stadig ved 260. ⌘ Read more

The Windows Registry Adventure #7: Attack surface analysis
Comments ⌘ Read more

@anth@a.9srv.net happy birthday, “youngster!”

Domain Name: NETBROS.COM
Registry Domain ID: 1193243_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.cloudflare.com
Registrar URL: https://www.cloudflare.com
Updated Date: 2025-03-29T04:08:33Z
Creation Date: 1998-04-29T04:00:00Z

My Hypothesis for why registries didn’t work and why they still won’t really work today is because the bend the rules of “true” decentralization a bit. Users have to pick one or more registries to “register” to. Why would they want to do this? What is their incentive to do so? Then on the other hand, users need a client that has registry support, but now which registry or sets of registries do you choose?

@prologic@twtxt.net yes.. But have I? And all the other pods and registries?

Hi, So i made a little MVP registry crawler tool for twtxt. It now has a basic UI to play with. It has a somewhat full history back to about 2018-ish. Plus some interesting bits that were timestamped to earlier.

Find it here: https://watcher.sour.is

Code base is found here: https://git.sour.is/sour-is/xt

Registry format is its own thing. It takes the regular feed and appends nick \t uri \t to it. Its something that existed before yarn got big. There is still a bit of work but I will put together a ui for it to make it easier to view and navigate.

@eapl.me@eapl.me I am currently working on Implementing a registry that is also a crawler. It finds any feeds that are mentioned or in the follows header.

https://watcher.sour.is/api/plain/twt

https://watcher.sour.is/api/plain/users

I think @prologic@twtxt.net is also working on one.

@eapl.me@eapl.me this “directory” is actually named registry. You can see users at https://registry.twtxt.org/api/plain/users and his twts at https://registry.twtxt.org/api/plain/tweets

Hmm so looking at the swagger of the registry spec client it seems to just take a “page”.. That seems worse than doing an offset. Lol.

https://github.com/DracoBlue/twtxt-registry/blob/master/src/swagger.json

I’m not much a fan of registry limit/offset paging. I think I prefer the cursor/count method. And starting at zero for first and max for latest.

I need to import my yarn cache. It’s sitting at about 1.5G in registry format. That should make things interesting…

Why not just use registry? It can be personal or hosted by someone like registry.twtxt.org. Just need to be adapt to support hashes

From PCAP to SCAP: how Falco’s libraries, registries, and plugins enable cloud native insights
Member post by Nigel Douglas, Sysdig In cloud-native systems, understanding the behaviour of complex, distributed web apps requires powerful tools that can dissect system activity down to its core. As the CNCF graduate project Falco demonstrates,… ⌘ Read more

From PCAP to SCAP: how Falco’s libraries, registries, and plugins enable cloud native insights
Member post by Nigel Douglas, Sysdig In cloud-native systems, understanding the behaviour of complex, distributed web apps requires powerful tools that can dissect system activity down to its core. As the CNCF graduate project Falco demonstrates,… ⌘ Read more

@andros@twtxt.andros.dev Sorry I missed your messages to #twtxt on IRC. There are people there, but it can take several hours to get a response. E.g. I check it every day or two. I recommend using an IRC bouncer. To answer your question about registries, I used a couple of registries when I first started out, to try to find feeds to follow, but haven’t since then. I don’t remember which ones, but they were easy to find with web searches.

@david@collantes.us Thanks, that’s good feedback to have. I wonder to what extent this already exists in registry servers and yarn pods. I haven’t really tried digging into the past in either one.

How interested would you be in changes in metadata and other comments in the feeds? I’m thinking of just permanently saving every version of each twtxt file that gets pulled, not just the twts. It wouldn’t be hard to do (though presenting the information in a sensible way is another matter). Compression should make storage a non-issue unless someone does something weird with their feed like shuffle the comments around every time I fetch it.

@prologic@twtxt.net I believe you when you say registries as designed today do not crawl. But when I first read the spec, it conjured in my mind a search engine. Now I don’t know how things work out in practice, but just based on reading, I don’t see why it can’t be an API for a crawling search engine. (In fact I don’t see anything in the spec indicating registry servers shouldn’t crawl.)

(I also noticed that https://twtxt.readthedocs.io/en/latest/user/registry.html recommends “The registries should sync each others user list by using the users endpoint”. If I understood that right, registering with one should be enough to appear on others, even if they don’t crawl.)

Does yarnd provide an API for finding twts? Is it similar?

@prologic@twtxt.net I guess I thought they were search engines. Anyway, the registry API looks like a decent one for searching for tweets. Could/should yarn.social pods implement the same API?

@prologic@twtxt.net What’s the difference between search.twtxt.net and the /api/plain/tweets endpoint of a registry? In my mind, a registry is a twtxt search engine. Or are registries not supposed to do their own crawling to discover new feeds?

@prologic@twtxt.net How does yarn.social’s API fix the problem of centralization? I still need to know whose API to use.

Say I see a twt beginning (#hash) and I want to look up the start of the thread. Is the idea that if that twt is hosted by a a yarn.social pod, it is likely to know the thread start, so I should query that particular pod for the hash? But what if no yarn.social pods are involved?

The community seems small enough that a registry server should be able to keep up, and I can have a couple of others as backups. Or I could crawl the list of feeds followed by whoever emitted the twt that prompted my query.

I have successfully used registry servers a little bit, e.g. to find a feed that mentioned a tag I was interested in. Was even thinking of making my own, if I get bored of my too many other projects :-)

@prologic@twtxt.net Yes, fetching the twt by hash from some service could be a good alternative, in case the twt I have does not @-mention the source. (Besides yarnd, maybe this should be part of the registry API? I don’t see fetch-by-hash in the registry API docs.)

Docker Scout Health Scores: Security Grading for Container Images in Your Docker Hub Registry
The Docker team introduces Docker Scout health scores to help quickly evaluate image health and simplify software security for developers. ⌘ Read more

Azure Container Registry and Docker Hub: Connecting the Dots with Seamless Authentication and Artifact Cache
See best practices for using public images and ensuring the security and reliability of your Docker containers. ⌘ Read more

Bringing npm registry services to GitHub Codespaces
The npm engineering team recently transitioned to using GitHub Codespaces for local development for npm registry services. This shift to Codespaces has substantially reduced the friction of our inner development loop and boosted developer productivity.

The post Bringing npm registry services to GitHub Codespaces appeared first on [The GitHub Blog] … ⌘ Read more

I’ve added myself to the registries at registry.twtxt.org and twtxt.tilde.institute. I wonder if there’s a list of registries. #meta

Docker Hub Registry IPv6 Support Now Generally Available
Docker announces the general availability of IPv6 support for the Docker Hub Registry, Docker Docs, and Docker Scout endpoints. ⌘ Read more

Using Docker Desktop and JFrog Artifactory for the Enterprise
Learn how to configure Docker Desktop to work with JFrog Artifactory as your Docker registry to manage the push and pull of container images. ⌘ Read more

Announcing Docker Hub OCI Artifacts Support
We’re excited to announce that Docker Hub can now help you distribute any type of application artifact! You can now keep everything in one place without having to leverage multiple registries. Before today, you could only use Docker Hub to store and distribute container images — or artifacts usable by container runtimes. This became a […] ⌘ Read more

@prologic@twtxt.net Yeah I don’t even know how to use them once I added myself to the registries. The jarn search engine is similar to the registries thing but its easier to search and find things from. Also I assume its easier to use it in the yarn pods and whatever elese to get new posts. I would always like to see yarn work with regular twtxt because there is advantges to plain twtxt.

@prologic@twtxt.net I do think the post about how to setup jenny + mutt over on the uninformativ.de blog is still a great post. I used that post to see the steps to set it up and it works fine. Though I can write some blog post with some more documentation for things like auto publishing. The big issue with plain twtxt is that I would have not seen your post unless I looked on twtxt.net when I was looking at yarn a little bit more. Twtxt does overcome the issue by introducing the registry but I can’t figure out any way to use them for Jenny and almost no one uses them in the first place. So I can’t see anyones replies or mentions unless I am following them. Yarn does overcome the issue by friends of friends as you would know as the creator of yarn.

Right now I have to setup jenny for my timeline. Just added myself to the Registry so that part is done.

Gitea Container Registry
I am a Gitea fan! I have been for some time now. But it’s always amazing how fast new features are implemented in the self-hosted GitHub alternative. ⌘ Read more

Hong Kong’s largest journalist group insists it operates in accordance with law after being asked by authorities to justify activities
Hong Kong Journalists Association says it received letter from Registry of Trade Unions demanding explanation of group’s operations. ⌘ Read more

GitHub Enterprise Server 3.5 is now generally available
GitHub Enterprise Server 3.5 is available now, including access to the Container registry, the addition of Dependabot, enhanced administrator capabilities, and features for GitHub Advanced Security. ⌘ Read more

Enhanced 2FA experience for your npm account
Late last year, in response to an unprecedented series of account takeovers resulting from the compromise of developer accounts without 2FA enabled, we committed to a variety of enhancements to the npm registry to make two-factor authentication (2FA) adoption easier for developers. Today, we are launching a public beta for a significantly improved 2FA experience […] ⌘ Read more

Though twtxt registries never really took off gemini://warmedal.se/~antenna/twtxt.txt presents the last 7 days of twts known by Antenna in the registry format. It’s intended to be a help in discovering twt feeds in geminispace (there aren’t very many yet).

Enrolling all npm publishers in enhanced login verification and next steps for two-factor authentication enforcement
Today we’re introducing enhanced login verification to the npm registry, and we will begin a staged rollout to maintainers beginning Dec 7. ⌘ Read more

GitHub’s commitment to npm ecosystem security
We’re sharing details of recent incidents on the npm registry, our investigations, and how we’re continuing to invest in the security of npm. ⌘ Read more

Beta IPv6 Support on Docker Hub Registry
At Docker we’re all about our community, so we listened to your excitement about Docker Hub support for IPv6 on the public roadmap, and now we are pleased to be introducing beta IPv6 support for the Docker Hub Registry! This means if you’re on an IPv6 only network, you can now opt in to use […]

The post Beta IPv6 Support on Docker Hub Registry appeared first on [Docker Blog … ⌘ Read more

The npm registry is deprecating TLS 1.0 and TLS 1.1
Beginning October 4, 2021, all connections to npm websites and the npm registry, including for package installation, must use TLS 1.2 or higher. ⌘ Read more

GitHub Packages Container registry is generally available ⌘ Read more…

Securing the open source supply chain by scanning for package registry credentials ⌘ Read more…

How to Use Your Own Registry ⌘ Read more…