Which means don’t install new packages too, or start TS/JS project

claude gon hack us so bad

Appropriate response 😂

Why is it so difficult to keep your Dev acc secured 😔

fortunately, i hacked claude. it's now writing code without npm or any stupid framework. turns out it runs way faster, is easier to fix and extend, and completely removes this vulnerability altogether. and the code itself is moxie, my trimmed down, IPC based parallelised single thread per process architecture, inspired by Rob Pike languages like Newsqueak. concurrency in the ui. concurrency in dedicated network handlers, data handlers, and whatnot. using MV2 architecture in firefox instead of retarded MV3 (pushed by google with chrome) which was disrupting my multi-process threading with communication instead of memory sharing. claude is trained to deal with all that npm stuff, but what i've made is far simpler, the bigger problem has been to stop claude reaching for those tools reflexively.

This is insane. The JS /TS ecosystem is retarded

Haven’t in the last 5 years but that now seems to be a different problem 🤷‍♂️ View quoted note →

But isn't it just the axios library that's compromised? Or does this mean all of npm is poisoned?

Axios is compromised weekly. Github won't stop warning me about it.

I hate dependencies.

Lol

Time for everybody to fork I guess. 🤷🏻‍♂️

that's cool, yeah it makes sense too, JS libraries ded 😁

I haven't looked into it enough to see what's happening. Whenever I did look into it, the vulns were node server-side (because it's server side usually). Everyone has an opinion or bias on this, but really I think the alarm bell is just ringing more frequently. That's not exactly a bad thing, yeah it's a pain upgrading all the time, but is it really just bad development? I don't want to encourage "roll your own" and forks are difficult to maintain imo, I hate reworking other people's code, id rather build it from scratch.

I was going to suggest that people write their own, but that seems like a fogotten paradigm. Thankfully, it's not.

At that point, everyone should just build their own memory allocators, IO/thread schedulers, and file management. All of which take, what's now, specialty education, especially operating systems. Then you'd be like me, forever building libraries, and rarely shipping usable products.

I would say it comes down to choosing battles. If a pre-built component becomes regularly hostile (Axios), it's better to forge your own. Doing that for every component, even the ones that are solid, can have you never leaving the forge. I worked with a guy in 2006 that wanted to do privatized space flight. I was excited about his lofty goal. Over the next couple of years, I started learning that he continually wanted to build everything himself. Flightsuits, the components of flightsuits... he probably wanted to mine the metals too. Learning to leverage the work of others is important, it's how great things are built. At the same time, blindly relying on others is destined for failure.

Fair enough, at one point I dreamed of being that guy you worked for XD That's something only experience can teach you. Everything worth using is built on a house of cards if you look close enough.

Axios may be included in other dependencies, or their dependencies, and so on. It’s hard to say where it might be included in a long chain. You don’t have to be directly dependent on it, because some packages in the chain might

The more I run into poor quality, the more I find myself saying, "I guess I'll have to build my own!" I do think our current state of goods needs more of that. Planned obsolescence and weak subscription models aren't what people want.

That's what I was wondering.