npm Refuses to Install Packages Due to PeerDependencies

512,000 lines of TypeScript. Shipped to npm. By accident. Anthropic leaked Claude Code's entire source code through a misconfigured source map in version 2.1.88. Not a hack. A packaging mistake. 𝗛𝗲𝗿𝗲'𝘀 𝘁𝗵𝗲 𝗱𝗲𝗮𝗹 The npm package included an unobfuscated source map exposing ~2,000 TypeScript files. Thousands of devs mirrored it within hours. The internet doesn't forget. 𝗪𝗵𝗮𝘁 𝗽𝗲𝗼𝗽𝗹𝗲 𝗳𝗼𝘂𝗻𝗱 👉🏽 KAIROS: a persistent background agent that fixes errors and runs tasks without you 👉🏽 A "dream" mode where Claude thinks in the background 👉🏽 Push notifications for completed tasks 👉🏽 The full architecture behind one of the fastest growing repos on GitHub 𝗧𝗵𝗲 𝗹𝗲𝘀𝘀𝗼𝗻 A missing .npmignore exposed everything. npm packaging defaults are aggressive: if you don't explicitly exclude files, they ship. Worse, attackers jumped on the confusion window to typosquat internal package names and stage dependency confusion attacks. I use Claude Code every day. No customer data or credentials leaked, and Anthropic patched it fast. But this is a good reminder to audit your own npm packages. One bad publish and your source is public forever. 𝘞𝘩𝘦𝘯'𝘴 𝘵𝘩𝘦 𝘭𝘢𝘴𝘵 𝘵𝘪𝘮𝘦 𝘺𝘰𝘶 𝘤𝘩𝘦𝘤𝘬𝘦𝘥 𝘺𝘰𝘶𝘳 .𝘯𝘱𝘮𝘪𝘨𝘯𝘰𝘳𝘦?

A small but important shift in my Node.js workflow: Understanding when to use npm vs npx. It sounds basic — but it actually affects how clean and maintainable your setup is. Here’s how I look at it 👇 🔹 npm (Node Package Manager) Used when a package is part of your project. For example: npm install express It gets added to your project and is used consistently. 👉 npm = project dependencies 🔹 npx (Node Package Executor) Used for running tools when you don’t need to install them. For example: npx create-react-app myapp npx prisma init 👉 npx = run and move on 💡 What changed for me: I stopped installing everything globally. Now I keep it simple: • Dependencies → npm • One-time tools → npx This made my setup: • Cleaner • More predictable • Easier to manage 👉 Good development isn’t just about writing code. It’s about making small decisions that scale well. Still learning and improving 🚀 #NodeJS #npm #npx #BackendDevelopment #WebDevelopment #JavaScript

😂 POV: You told yourself “It’s just a small project” You open your terminal. You type: npm install …and suddenly your node_modules folder is the size of a small African country. This man isn’t pouring olive oil. He’s pouring NODE MODULES on his “tiny salad” project 😂 We’ve all been there. You just wanted a simple Express API or a quick automation script… but 15 seconds later your project is carrying 487 MB of transitive dependencies like it’s luggage for a 2-day trip. Knowledge drop for my fellow devs: • The average node_modules folder today is bigger than the entire Linux kernel. • One innocent package can pull in hundreds of sub-dependencies (thanks, transitive dependency hell). • Some “hello world” projects are now hitting 1GB+ in node_modules. Pro tips to stop the madness: 1. Use pnpm or Yarn PnP — they can shrink your node_modules by 70-90% 2. Run npm audit + depcheck regularly 3. Always .gitignore your node_modules (if you’re not doing this… we need to talk 😂) 4. Consider Bun or Deno if you want to escape the dependency drama entirely Tag a developer who’s currently drowning in node_modules right now 👇 What’s the biggest node_modules size you’ve ever seen? Drop it in the comments — let’s laugh (and cry) together! #NodeJS #DeveloperLife #WebDevelopment #TechHumor #JavaScript #CodingLife #SoftwareEngineering

I just published my second open source npm package - and it came from a frustration I've had across every enterprise codebase I've worked in. Every form with multiple date fields has the same problem: start date must come before review date, which must come before end date. Simple in theory. Surprisingly messy in practice — especially when fields are optional, when timezones are involved, or when you need clear, actionable error messages rather than a generic "invalid date". I kept solving this problem differently in every project. So I extracted the solution, polished it, and published it: 📦 chronologic-validator A framework-agnostic TypeScript library for validating ordered date sequences, with adapters for React Hook Form and Zod. Zero dependencies in the core. Timezone-safe. No cascading errors. npm install chronologic-validator I also wrote about the design decisions behind it - why skipNull defaults to true, how the no-cascade error behaviour works, and the timezone normalisation bug I've seen trip up teams more than once. 🔗 Full article: https://lnkd.in/eX_hh4sB 🐙 GitHub: https://lnkd.in/ec9DGvR8 📦 npm: https://lnkd.in/eYZRdZkT If you have hit this problem before, I would love to know how you solved it. And if this saves you some time, a ⭐ on GitHub goes a long way.

Big move for the future of Node.js 👇🏼 Michaël Zasso landed the V8 14.6 upgrade in upstream Node — coming in Node v26. And with it: → Temporal (Stage 4), now available unflagged This is bigger than it looks. Time handling has historically been one of the most error-prone areas in JavaScript — time zones, parsing inconsistencies, edge cases in production… Temporal is a fundamental step toward fixing that at the language level. And now it’s becoming part of the default Node.js runtime experience. These are the kinds of changes that quietly reshape production systems. 👏🏼 Credit to Michaël Zasso for the work 📣 Shared via Rob Palmer Source: https://lnkd.in/gbsdpiCq https://lnkd.in/gF84q7PH

If you want to create a NestJS library to share between your services, you need to use peer dependencies. In short, you’re declaring that your module depends on specific packages that must be installed in the host project. pnpm add --save-peer @nestjs/{core,common} This command adds those packages as peer dependencies. Unlike npm, pnpm will also add them as dev dependencies. Note: The brace expansion syntax ({core,common}) only works on Unix-like systems. #node #pnpm #npm

⚡ 𝗻𝗽𝗺 𝗶𝗻𝘀𝘁𝗮𝗹𝗹 𝘃𝘀 𝗻𝗽𝗺 𝗰𝗶 — Quick Dev Tip Most developers use these daily, but using the right one actually matters 👇 🔧 𝗻𝗽𝗺 𝗶𝗻𝘀𝘁𝗮𝗹𝗹   • Best for development   • Installs from package.json   • Can update dependencies  ⚡ 𝗻𝗽𝗺 𝗰𝗶   • Best for CI/CD & production   • Installs exact versions from package-lock.json   • Fast, clean & consistent every time  💡 𝗦𝗶𝗺𝗽𝗹𝗲 𝗿𝘂𝗹𝗲: 👉 Local work → npm install   👉 Builds & deployments → npm ci  Avoid “works on my machine” issues by choosing the right command 🚀 #nodejs #javascript #npm #webdev #devtips

Someone stole a maintainers password. 😫😫😫 Passwords were invented over 60 years ago to secure systems. However the systems have now become so advanced that passwords and OTP can no longer keep you safe. Passkeys is the way forward, no credentials to steal.

Anthropic built a system called Undercover Mode specifically to stop Claude from leaking internal secrets. Then this happened. Never understood till date why anthropic did not make cc open source, it makes a lot of sense to have open source harness(look at codex adoption). Also here is the repo - https://lnkd.in/gdpGfvMa.

The Turing test days a machine can think if a human cannot recognize if a behavior is human or artificial. Was this mistake "human" or was it a machine pretending to be human? After all, humans make mistakes every now and then.