npm's recent provenance feature fixes this, and it's pretty easy to setup. It will seriously help prevent things like this from ever happening again, and I'm really glad that big packages are starting to use it.

> When a package in the npm registry has established provenance, it does not guarantee the package has no malicious code. Instead, npm provenance provides a verifiable link to the package's source code and build instructions, which developers can then audit and determine whether to trust it or not

It prevents the npm publish from locally modified source code.

My favourite part of the README is:

# Is there a use case? no

had so much fun working on it :)

thank you for the kind words :) things are going well for us so far, so fingers crossed it stays like this! You've put a big smile on my face :)

This is the sort of thing I'd leave on an unused monitor all the time or have on display somewhere. Really cool aesthetic

We never really thought about documenting progress, so the photo of the email was taken from a phone camera of a teacher's computer (they had sent the email). We managed to find it while I was writing the article earlier on in the year, in a "deleted pictures" folder. I thought it would be cool to add it on. It's purely because the project spanned such a long time and nothing was really written down or saved.

Ah, relief! Thanks

It was part of the homework, we had to watch a video and write down notes in a physical notebook. The notebook was never checked because they assumed that a video watched >=1x meant that we understood the task. The videos took a while to watch so we'd rather skip.

I didn't really get that vibe, especially when we called Colin. He was super friendly. But then again, we didn't want to test it and we complied immediately =)

Diplomacy often comes across as friendliness. I've been in situations where I've not acquiesced and seen how quickly things can change. As they say, don't take friendliness for weakness. Wonderfully managed by all parties though.

Yeah, chances are Hegarty was actually impressed and alarmed, and the best way to reconcile both of those was to befriend this kid, share the info so that HegartyMath doesn't get damaged from the leak, and send some praise their way for identifying a glaring security and utility issue in the app.

It's always a game of cat and mouse... if a human can use a website then it's theoretically possible that a robot can too. I used to do a lot of sneaker botting a few years prior, so I kind of lot about web automation then. Developers will always find a way, even if it means spending more time writing the software than it would have just doing the homework

That's a good point, you're definitely on to something I think. Reversing classes at a young age would be super engaging for kids as it's "not something you're supposed to do"

My mother is a teacher for ages 7-11 and I help out with her IT curricula sometimes. I think I might do some reversing with her next time I am with them!