From how is unfolding the most probable outcome is that one of the maintainer is compromised ( Ponya ), all of the packages he contributed to have been marked
Amateur hour all around in that thread.
I can't believe that people are actually, unironically recommending that you use a mutable git tag reference in package.json when they should be using a tamper-proof git SHA instead.
Since the Github issue is turning into an unusable mess and I am currently experiencing emotions I don't have to unleash here...
There is an interesting comment by one of the older maintainers of stylus, Panya [1]. Taking this at face value, they claim to have published some malicious packages for research purposes about dependency confusion [2] (their link). This also fits with the comments of a few people claiming to be security researchers, [3] and [4], which at least say the same and point to three malicious packages published by Panya.
Based off of that, my own personal interpretation and simplest thesis is that Panya released some packages with questionable code. This triggered some security mechanism in npm and that system yanked packages they were a contributor of [5], because the account looked compromised or otherwise malicious. And then pipelines went red.
If this was an actual malicious act, or curiosity about security and security responses getting a fairly nuclear security response, I don't know. You need to apply your own security reasoning to this -- if you even want to trust this comment :)
I just wanted to collect the interesting comments in a place, because that ticket is getting impossible to navigate.
Could be! Other comments (~~can't find them now as the issue got full of useless comments~~ e.g. https://github.com/stylus/stylus/issues/2938#issuecomment-31...) also noted that the GHSA bot have nuked a lot of other npm packages since days or weeks in the same fashion, so it could also be an AI scanner going full full nuclear.
Agree it would be nice if people would stop posting "help! how can I fix this?" and "I fixed it by doing X", they were valid comments at the beginning, but now more than half of the comments are just these two
It's so hard to triage this when no justification has been provided for the advisory. Was the GHSA released in response to npm pulling the package, or vice versa?
Many suggestions for workarounds, but if the GHSA is indeed accurate (all versions affected) then that seems unwise.
Also if all the versions are affected this malware is in stylus since 2010. Honestly, it sounds improbable to me that a malware exists unnoticed in open source software for 15 years. However, even if improbable it's better to play safe and just override the installation of stylus ( especially if you are not using it ) with an empty package until more information is released
I agree that it seems very improbable. The only possible malicious scenario I can imagine is that the Github repo is clean, but npm creds have been compromised.
The current AI generation has an additional pain point compared to the bad coworker, it's unable to learn, you can give it a rule file but it doesn't always respect it properly and it doesn't update it itself.
TLDR: the bad colleague will stop making the same mistake in the PRs the AI no
Hopefully this will change in future generations of AI
I have noticed that putting bananas in the fridge has a weird effect, the peel turns black like if it's outside, but the inside of the banana stays yellow and hard. It is very weird to peel a full black banana and find the inside normal without any browning
I see this all the time with bananas that go from green to brown without turning yellow, I always heard people blame the bananas getting too cold during shipping.
I lost it when I moved but we used to have a chart on the fridge that said which fruits you should or should not store together because they make each other ripen faster.
Anyone who has stuffed a banana into a pack or bag knows that bananas also speed up banana ripening. If you're going on an all-day hike, take the almost-ripe banana.
Bananas emit a gas that causes them to ripen faster. The same gas can also cause other fruits in the same space to ripen. It's weird but kinda useful. There are products out there claiming to absorb this gas, to keep everything fresh for longer.
Wild assed guess: the cold slows down the chemical reactions in the flesh of the banana but cannot save the skin. Putting bananas in a bag makes them ripen faster, and a fridge is just a larger enclosed space.
You can visualize it easily if you think about your own vision.
If you put an hand in from of your face ( without covering your eyes ) you will be able to see behind it even if both eyes see only a part of what is behind your hand.
Now regarding the video imagine that each pixel is an eye, and they are spreaded evenly along a circle.
There are a lot of differences between this example and what he actually did, but it should be very easy to visualize ( main difference I can think of is how much amplification he needed to do so each eye is almost blind )
This is my second live coding, it is something I started doing two days ago as a way to show my skills and create a portfolio.
I didn't share the first one because was honestly too terrible, but I think this one didn't go as bad as the first one, there's for sure a lot of room for improvement and I will be happy to hear feedback from this community, both positive and negative
I do agree that job postings asking for personal projects are a little bit over the top.
The main problem with building products is the idea, the spark, honestly I can't see at the moment a product that people need, or even less, a product that I would need
I don't worry about what other people need. I build for what I need and if it's not too much effort I also make it available to everyone just in case it's useful to them. A couple examples:
I got tired of configuring emacs by hand for use with Erlang. I had lookup the specific incantation that needed to go into the configuration file every single time. Yes, it only takes a couple minutes and it's not something I do often, but now it's just a simple script away.
Another example: like a lot of people I anxiously wait for certain days to come or need a reminder of just how close we are getting to certain holidays and family birthdays. So I built a quick and dirty app in SwiftUI to countdown the days until a specified date. (It's free with no ads or IAPs, since I built it for my own needs and don't care to monetize it.)
Ideas are easy. You don't need to think of a new idea (in fact, I highly suggest not doing that). Instead, pick an idea that has been done to death and do it again.
Make a cronjob monitoring service. Make a "privacy focused analytics" platform. Make a session replay service. Make a "javascript error collection" service. Make a user feedback widget as a service.
It doesn't matter what you make. Pick something that has been done before and do it on your own.
If you are hell bent on live streaming-- live streaming that would be far more interesting than watching someone rebuild react.
Email: u.valaityte@yahoo.com