bodash (u/bodash) - Readit News

bodash commented on Shai-Hulud Returns: Over 300 NPM Packages Infected helixguard.ai/blog/malici... · Posted by u/mrdosija

giantg2 · a month ago

Do you know of anything similar for pip?

bodash · a month ago

Most of the best practices can be translated to python ecosystem. It’s not exact 1:1 mapping but change few key terms and tools, the underlying practices should be the same.

Or copy that repo’s markdown into an llm and ask it to map to the pip ecosystem

bodash commented on Shai-Hulud Returns: Over 300 NPM Packages Infected helixguard.ai/blog/malici... · Posted by u/mrdosija

bodash · a month ago

I compiled a list of NPM best practices one can adopt to reduce supply chain attack risks (even if there's no perfect security preventions, _always_): https://github.com/bodadotsh/npm-security-best-practices

Discussion on HN last time: https://news.ycombinator.com/item?id=45326754

bodash commented on NPM flooded with malicious packages downloaded more than 86k times arstechnica.com/security/... · Posted by u/jnord

650REDHAIR · 2 months ago

As a hobbyist how do I stay protected and in the loop for breaches like this? I often follow guides that are popular and written by well-respected authors and I might be too flippant with installing dependencies trying to solve a pain point that has derailed my original project.

Somewhat related, I also have a small homelab running local services and every now and then I try a new technology. occasionally I’ll build a little thing that is neat and could be useful to someone else, but then I worry that I’m just a target for some bot to infiltrate because I’m not sophisticated enough to stop it.

Where do I start?

bodash · 2 months ago

shamless plug but here's a list of things you could follow to mitigate risks from npm: https://github.com/bodadotsh/npm-security-best-practices

bodash commented on Show HN: Tips to stay safe from NPM supply chain attacks github.com/bodadotsh/npm-... · Posted by u/bodash

Rockslide · 3 months ago

That first recommendation of pinning exact versions of each and every dependency is borderline insane. That's exactly what lockfiles are for. Which are used by default.

bodash · 3 months ago

The lockfile is updated _after_ any new malicious version is downloaded and installed. If we pinned the exact version, `npm install` will _not_ download and execute any new published versions.

That's why we use `npm ci` or `--frozen-lockfile` to install the exactly versions as lockfiles. But, by default, the `^` operator and just `install` command will check registry for any new releases and download them.

The primary arguments against pinning versions are missing security updates and increased maintenance overhead. But given the patterns we've seen, the attackers really _hope_ we automatically install new releases

bodash commented on Ask HN: Is it time to fork HN into AI/LLM and "Everything else/other?" · Posted by u/bookofjoe

simonw · 5 months ago

I built you this: https://tools.simonwillison.net/hacker-news-filtered

It shows you the Hacker News page with ai and llm stories filtered out.

You can change the exclusion terms and save your changes in localStorage.

o3 knocked it out for me in a couple of minutes: https://chatgpt.com/share/68766f42-1ec8-8006-8187-406ef452e0...

Initial prompt was:

  Build a web tool that displays the Hacker
  News homepage (fetched from the Algolia API)
  but filters out specific search terms,
  default to "llm, ai" in a box at the top but
  the user can change that list, it is stored
  in localstorage. Don't use React.

Then four follow-ups:

  Rename to "Hacker News, filtered" and add a
  clear label that shows that the terms will
  be excluded

  Turn the username into a link to
  https://news.ycombinator.com/user?id=xxx -
  include the comment count, which is in the
  num_comments key

  The text "392 comments" should be the link,
  do not have a separate thread link

  Add a tooltip to "1 day ago" that shows the
  full value from created_at

bodash · 5 months ago

I also built https://lessnews.dev (HN filtered by webdev links)

One decision I had to make was whether the site should update in real time or be curated only. Eventually, I chose the latter because my personal goal is not to read every new link, but to read a few and understand them well.

bodash commented on Kite News kite.kagi.com/... · Posted by u/tigroferoce

bodash · 5 months ago

I’ve also been experimenting with a curated webdev related newsfeed based on HN submissions: lessnews.dev The goal is not to keep users on the site. If some dev visit the site once in a while, and finds a link useful, that’s it.