Readit News logoReadit News
clncy commented on NPM stylus package contained malicious code and was removed from the registry   npmjs.com/package/stylus/... · Posted by u/vandot
maury91 · a month ago
Also if all the versions are affected this malware is in stylus since 2010. Honestly, it sounds improbable to me that a malware exists unnoticed in open source software for 15 years. However, even if improbable it's better to play safe and just override the installation of stylus ( especially if you are not using it ) with an empty package until more information is released
clncy · a month ago
I agree that it seems very improbable. The only possible malicious scenario I can imagine is that the Github repo is clean, but npm creds have been compromised.
clncy commented on NPM stylus package contained malicious code and was removed from the registry   npmjs.com/package/stylus/... · Posted by u/vandot
maury91 · a month ago
This advisory is pointing to the stylus package

https://github.com/advisories/GHSA-fh4q-jc76-r59p

I'm still unsure if it's a mistake on NPM side or if stylus and the authors are compromised

clncy · a month ago
It's so hard to triage this when no justification has been provided for the advisory. Was the GHSA released in response to npm pulling the package, or vice versa?

Many suggestions for workarounds, but if the GHSA is indeed accurate (all versions affected) then that seems unwise.

clncy commented on CU Randomness Beacon   random.colorado.edu/... · Posted by u/wello
Octokat · 2 months ago
Skobuffs!
clncy · 2 months ago
The beacon to be guarded at all times by Ralphie??
clncy commented on 'It cannot provide nuance': UK experts warn AI therapy chatbots are not safe   theguardian.com/technolog... · Posted by u/distalx
vrighter · 4 months ago
you cannot really roll back a bug in a black box system you don't understand
clncy · 4 months ago
Exactly. More like changing the state of the system to reduce the observed behaviour while introducing other (unknown) behaviours
clncy commented on Tell HN: Enterprises spend 10x more to build no-code solutions than coded ones    · Posted by u/nancyp
clncy · 2 years ago
MS PowerApps, PowerAutomate and related offerings are truly awful products. I’ve given them the benefit of the doubt and been burned repeatedly.

Don’t tar all no/low code tools with the same brush though. I’ve had good success with Retool, for example.

clncy commented on Amazon Honeycode Shutting Down   honeycodecommunity.aws/c/... · Posted by u/navels
delocalized · 2 years ago
I wonder how long no-code is going to stay relevant in the age of AI. It feels like the segment of "what a novice with no-code can do that a novice with an appropriate AI tool can't" is ever-shrinking and the tail of "what specialized use cases AI can cover that no-code can't" continues to grow.
clncy · 2 years ago
No-code platforms are really DSLs wrapped in a nice UI. No-code platforms that are more open and developer focused typically let you actually dump out the app as a big bundle of config/DSL (e.g. a custom JSON format).

Maybe using LLMs to generate DSL code will produce better (and more maintainable) results than fully-fledged languages?

clncy commented on Ask HN: Anyone else feel like their whole career will just be tech debt?    · Posted by u/erlich
ActorNightly · 2 years ago
As long as someone pays me a highly inflated salary for doing things that other people can't because of the lack of proper CS education, I am totally fine doing tech debt.
clncy · 2 years ago
“In the land of the blind, the one-eyed man is King”
clncy commented on Alpine.js   alpinejs.dev/... · Posted by u/tosh
dgb23 · 3 years ago
The largest, most painful and apparent issue with JS related build tools is that they change and break. Frequently.

And no, `package.lock` is not enough of a solution, because you will have to update dependencies at some point. Congrats, you now have multiple moving, breaking parts in your dependency tree that throw the weirdest and unrelated errors. So you're hunting down github issues, workarounds and patches, while still not really knowing what the problem was. The bonus here is that you need to remove these workarounds at some later point because your build tools and libraries have fixed the issues, so your code breaks again with very fun error messages or just straight up opaque and weird behaviors.

At some point we have to ask why we're doing this to ourselves. It's not fun at all.

clncy · 3 years ago
Agreed. Try inheriting a project that hasn’t been updated for a few years. Between the absolute dependency hell, and major breaking changes, there is huge temptation to just rewrite the whole thing.

Even a basic application requires layers upon layers of dependencies. Many of them are not as mature as people like to think either.

Posted by u/clncy 3 years ago
Ask HN: What’s your favourite lesser-known TLD?
clncy commented on Cloud services like AWS or Google Cloud Platform may be the wrong choice   karlsutt.com/articles/you... · Posted by u/karls
clncy · 3 years ago
> And often it is so alluring that actual requirements and costs fly out the window. Need to scale... infintely? Just use Lambda Functions.

I don’t know why the author singles out Lambda. For many use cases their ongoing maintenance is close to zero.

c

u/clncy

KarmaCake day64June 20, 2020View Original