Shouldn't you care more about the actual issue than who is writing the laws around it? Why are you so pissed off about the "who" instead of happy you are getting what you want?
I'm not getting what I want on free speech, because the center left form the ruling parties. And I wouldn't want the right to be in power anyways, though soon they couldn't do much worse to this democracy.
People here are getting police visits and legal mail because they called a politician a name on twitter or get investigated over a sign they held at a political protest.
and in the US we're having serious free speech issues with the right right now. sorry to be confusing, I just wonder why you think there's necessarily a direct equivalence between the left-right politics of two different countries, and not more concerned about actual rights violations instead of who's scoring political points.
I had the privilege of working and sleeping in the original Craigslist office/house in San Francisco. It was just another typical, ageing house they had rearranged a little to have a ton of deskspace in the main area. A lot of start ups (including Zappos IIRC) had also been there over the years. They had a mattress in the loft/attic you could crash on if you were up late too.
Friends don't let friends use NPM. At this point it is so wildly crazy watching people get owned, I don't understand how anyone uses it when they could use e.g. PNMPM and block one if the most obvious and frequently exploited holes. These tools with arbitrary code execution when trying to download some code have got to stop.
Github / Microsoft could easily fix this, couldn't they? Leaving NPM up in its current state seems criminal, especially since LLMs generate NPM commands so frequently.
Is it possible to fix it in a backwards compatible way? Removing lifecycle scripts is at least a semver major change, and would complicate existing projects relying on packages with lifecycle scripts from upgrading.
This is a real world trolley problem scenario. You can break workflows or you can let everyone get pwned by supply chain attacks. Which is the greater harm?
I know you are joking, but there is something about this that I really don't get. "Friends" here really means "a professional network". Many nerds despise having one or maintaining/building one. At the same time, people pour weeks/months/years of their life into optimizing their modest investment portfolios. 0.01 percentage points of yearly cost differences of some passive ETF. That surely compounds. But you know what also compounds? Knowing somebody who knows somebody who has $skill or $job_posting. In a big way. Your work comp is still the biggest source of income for most, but investing into optimizing it by broadening your network is something people don't want to do. They'd rather discuss the tax implications of nuances of some investment portfolio.
I don't disagree, but broadening your network is a very different skill (being social) than handling investment portfolios. And for some of us, it's not that we necessarily despise creating or maintaining a network, it's that we suck at it.
>These tools with arbitrary code execution when trying to download some code have got to stop
But you still end up with the code on your machine and risk it being ran.
Bigger issue is giant, inscrutible dependency trees.
In this example, if they tried to run the test suite or application, they'd have been in the same boat.
Afaik all or most languages have some way to run arbitrary code at install time but it seems node is the main one getting targeted. I think the bigger issue here is just people running untrusted things.
Claude Code regularly installs dependencies using (p)npm after I e.g. pull a company main branch to get in sync with my teammates. That happens often. So I pull, Claude edits some code as you requested and it should pass because Claude did alright, but your local box has out-of-date deps. So then Claude runs (p)npm i and now we have automatic exploitation of this gaping hole in npm given extremely common and current AI tooling. Someone has to figure out how to stop AI from running that command or NPM needs to stop that behavior, and I guarantee you it will be easier to get one tool to change than all AI.
The lockfile should protect you there. It'd only be an issue if you're working on updating dependencies in which case there's other protection like min-release-age
If pulling down your company repo and running `npm install` can lead to a compromise, something has went terribly wrong with your company's security setup.
I agree, but I’d extend that to any language using a package manager at this point. “A little copying is better than a little dependency” even more correct now.
All my current projects have all the code needed in the repo (unless impossible, and aside from a compiler which I guess could also be compromised)
I haven't heard anyone specifically state their justification for blocking bio research along I can only assume it's to prevent manufacturing bio weapons or virii?
> I personally find OOP to be the most intuitive for large scale systems design, but that's just me.
The beauty of Clojure shines through when you want to change something that cuts through a large part of a large project. If you are using mutable data, you may end up with many bugs from various pieces of code mutating objects inconsistently. With Clojure, if someone hands you data, you can't possibly break some distant piece of code by updating an object: it's just not possible because you only ever make fast, updated copies. The more complicated your codrbase gets, the more this benefit is realized.
I actually kind of think of it as an easier mechanism with similar outcomes to Rust's borrow checker. Only one piece of code ever owns the data so things end up much safer. However it is way easier to use IMHO because you just know that zero people own anything and everyone can read everything.
It also makes converting some code to be multi-threaded extremely easily and with some constraints guaranteeably correct.
Lots of dovetailing features neatly put together for both clarity and less bugs and more usable cores which are probably sitting idle.
You mean like if our government was compromised at the highest levels and they wanted to undermine everything without the public realizing? Btw what happened to all the social security data that DOGE exfiltrated?
reply