Keyboard shortcuts are available for common actions and site navigation.
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
An NPM package with 2,000,000 weekly downloads had malicious code injected into it. No one knows what the malicious code does yet.https://github.com/dominictarr/event-stream/issues/116 …
There are basically two camps in that thread. 1) This is the original maintainer's fault for transferring ownership to someone they didn't know and trust. 2) Ownership transfer was fine; it's your job to vet all of the code you run.
Option 2 (vet all dependencies) is obviously impossible. Last I looked, a new create-react-app had around a thousand dependencies, all moving fast and breaking things.
Option 1 (a chain of trust between package authors) seems culturally untenable given the reactions in that thread, including from well-known package authors.
There was an option 3: don't decompose your application's dependency graph into thousands of packages. People who argued that position were dismissed as (to paraphrase heavily) old and slow. That ship has sailed, and now we're here.
It was cryptocurrency. Of course. https://mobile.twitter.com/joepie91/status/1067123980711198727 …
We knew that this was coming.https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5 …
it’s almost like relying on unvetted free labor for millions of people’s work products is a bad idea
See also OpenSource
Ahhhh, been a while since the last npm dumpster fire
I have a much better idea: 1. overtake a popular library, 2. relicense to require publication of the app's source code, 3. hunt down apps using it, 4. ask to publish the code or buy a custom license for a lot of money.
Wouldn’t that be locked down to the version though? You can’t just retroactively ask for money if you installed the version under a current license at that particular moment.
Yes it would. Did you review the license of every dependency (transitively) last time you did an update?
Option 4: never transfer packages
Turns out it's crypto of course it's crypto aaaah
Relying on one person to shoulder the burden for a highly used package is a symptom of a systemic problem. At what point should a package have a maintainers / working group? Is it ad hoc? Is there a threshold?
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
