A package on the list called ‘simple-swizzle’ turns out to be used in OpenNext which is an unexpected attack vector for sure.
Readit Newsbaloki commented on NPM debug and chalk packages compromised aikido.dev/blog/npm-debug... · Posted by u/universesquid
Great work! I love commitment to make it at no cost as @liamwire mentioned. Still not sure why on Earth car manufacturers would not just release APIs open to all owners (basically issue API key based on VIN) and let them use it. For developers to build apps that will only require API key to be entered would be win/win for everyone....
They’re API used to work via just providing a VIN however that also allowed remote control so you could just run through all the VINs Nissan uses and turn on remote heating, etc.
This was reported in the media which caused Nissan to start locking down their API something fierce.
Then the three years free of many services have started to expire for most vehicles, so locking it down more became a potentially profitable exercise so now they actual have development work against it.
baloki commented on The failure of self-checkout technology bbc.com/worklife/article/... · Posted by u/LaksiMati
Co-op in the UK has that as well. I don't know if it's the same for every area, but the one near friends of ours that we pop into on the way to theirs just has a scanner.
They also run facial recognition on anyone who uses them though :/
This article mentions the south of England but they’ve rolled it out country-wide since:
How would paying for an EV charge work like this? Would you select an amount of credit in currency (presumably via buttons on the charger?) then tap-to-pay for that amount?
(I believe there are some limitations on tap-to-pay transactions to prevent a merchant presenting the transaction with a different value after actually tapping the card.)
I think a lot of "pay at pump" fuel stations require a full insertion of the card to pre-authorize a large amount, then release it as a partial refund once the amount of fuel dispensed is known.
Would this be a barrier to EV charging, if you need a way to communicate this upfront, or have to effectively replicate out EMV infrastructure on totally unmonitored terminals with PIN readers (and likely the next card skimming scandal brewing)?
Also, how would contactless-only work for cards that get soft locked to be inserted for a PIN check? Would there be a way for EV chargers to be exempted from this? Or would people end up stuck and unable to charge as there's no available place with a PIN reader they can use to unlock their contactless payments?
They generally pre-auth for either £20 or £40 and then update the amount post-transaction.
In terms of PIN check, the card is just declined with an appropriate error message because you can’t insert it and the next time you use a contactless machine it asks for the card to be inserted and a PIN entered.
For petrol (gas) pumps in the UK it generally auths either £1 or £99.
baloki commented on Monsters of the Road: What Should the UK Do About SUVs? theguardian.com/technolog... · Posted by u/pharmakom
Cars should be taxed based on their weight and there should be much stricter standards regarding visibility.
There is no reason why most of us should subsidise a few people’s status symbol and their entirely unnecessary use of public resources. Ultimately you should not be able to buy these, at least in their current form, as they serve no purpose whatsoever besides inflating their owner’s ego at a significant cost to others. We are not talking about pickup trucks and light trucks used in the countryside: these monstrosities are designed for motorways and paved roads and will never see as much as a dirt road.
In the UK you’re taxed more on vehicle excise duty if a car costs more than £45,000 as it’s a luxury.
baloki commented on Scrollbars are becoming a problem artemis.sh/2023/10/12/scr... · Posted by u/dredmorbius
I know it feels clunky (perhaps) aesthetically to have thick scroll bars and thick sliding dividers and thick window borders, but I would choose ergnomics over prettiness.
Even as a normal human with good motor control, good equipment, and decent eyesight, I routinely encounter situations (macOS) where I have to carefully move the pointer back and forth across a region where I know the "line" (divider, border) is so I get the opportunity to move something.
Another related problem is the overloading of the title bar. In the past, the title bar was always there for each window. Grabbing and moving a window was very easy. Now, many apps try to move menus and other controls into that space, leaving the user to find the few pixels here or there which can be grabbed to move the window (rather than taking some action within the app). Some apps allow you to revert to normal title bar (thank you Firefox), but some don't. And true, you gain some valuable screen space from what would normally be a wasted big area of title bar, but the tradeoff sucks when you need to move something.
First thing I do on MacOS is turn on always show scrollbars tbh.
How would these extra territorial laws be enforced?
I mean I break Chinese law all the time; I have a blog without the necessary permits delivered by the PRC bureaucracy.
How is this UK law any different? Unless you have some kind of tie to the UK why should you care? What are they going to do? They can’t fine you nor put you in jail. Are they going to block your sites? Then everybody in the UK will use VPNs (just like China) undermining the ability of the government to enforce such laws even further.
GDPR was a EU law (much bigger than UK), it was not as tedious to comply with, and the PR would have been bad for any company breaching it. None of this is true here. The PR is actually good if you don’t follow this law; you can say you’re defending human rights and stuff.
They block your site at the ISP level. They’ve been doing that for years.
They’d fine you as well but that’s probably less enforceable.
What I really don’t understand is why parents aren’t responsible for monitoring they’re children's access to the Internet anymore?
Why does it need to be done at each website instead of at the point of access?
More info:
- https://github.com/chalk/chalk/issues/656
- https://github.com/debug-js/debug/issues/1005#issuecomment-3...
Affected packages (at least the ones I know of):
- ansi-styles@6.2.2
- debug@4.4.2 (appears to have been yanked as of 8 Sep 18:09 CEST)
- chalk@5.6.1
- supports-color@10.2.1
- strip-ansi@7.1.1
- ansi-regex@6.2.1
- wrap-ansi@9.0.1
- color-convert@3.1.1
- color-name@2.0.1
- is-arrayish@0.3.3
- slice-ansi@7.1.1
- color@5.0.1
- color-string@2.1.1
- simple-swizzle@0.2.3
- supports-hyperlinks@4.1.1
- has-ansi@6.0.1
- chalk-template@1.1.1
- backslash@0.2.1
It looks and feels a bit like a targeted attack.
Will try to keep this comment updated as long as I can before the edit expires.
---
Chalk has been published over. The others remain compromised (8 Sep 17:50 CEST).
NPM has yet to get back to me. My NPM account is entirely unreachable; forgot password system does not work. I have no recourse right now but to wait.
Email came from support at npmjs dot help.
Looked legitimate at first glance. Not making excuses, just had a long week and a panicky morning and was just trying to knock something off my list of to-dos. Made the mistake of clicking the link instead of going directly to the site like I normally would (since I was mobile).
Just NPM is affected. Updates to be posted to the `/debug-js` link above.
Again, I'm so sorry.