dangit, school system not writing with proper punctuation caps and syntax actually proves you're human! the bots could never lower themselves to write invalid sentences!

try { } catch (x) rethrow A,B { } "but not A,B", "ignoring A,B", "dont catch A,B", "catch (x) if A,B", I dunno... Seems like an AbortError is a viable real world common candidate to get this treatment (arguably, that's "abusing" the throw mechanic as a side channel, but that ship has sailed)

Anyone know of a chess book that teaches you an opening by like puzzles and steps you through lines for a particular opening and explains most of them into the middle game, but also the ideas behind it, why certain moves are bad, etc? Maybe a bit modern? I'm not finding books that hit the spot :/

The axios compromise blast radius is much much much bigger than people seem to suspect. The secret: transitive dependencies with open ranges making it extremely obscure and difficult to detect whether you were affected, after the fact.

Dog ate my homework -> Claude rimraffed me, sir.

Arguably, it's okay to reduce your phantom opaque rate limits down to borderline useless when your users still won't hit these new limits (either) anyways, right? Because you can't reach rate limits WHEN THE PRODUCT HAS AN INCIDENT/OUTAGE ALL THE TIME :smart: oof.

Yikes. socket.dev/blog/axios-n...

Wtf? Just sitting in a semi public book case. For like, casual reading?

45min was more like uhhh 10h Terraria board game. Game was ok, price way too high for the low replay value. No unlocks or anything and little variation is kind of disappointing for 2026? We only spawned one (unavoidable) boss, missed the others due to rng. Focused on the wrong game components imo.

Oldschool JS, is that code from like two years ago?

Ok good think we didn't reassign tab to AI auto-complete. In five years nobody gonna be auto-completing anything anymore. Waste of effort.

New rule: public github repos cannot have any secrets. Must use private or public-proxy read-only repos (where only owners/contribs can make PRs) for releases and CI stuff. It's obvious github can't get on top of the github actions exfil stuff. Seems like a plausible way to squash that vector?

- Create this random html canvas game - Now create a down sampled terminal renderer for it I love vibe coding.

Hey, it's spring time! Oops.

Impressive. Claude was able to deobfuscate socket.dev/npm/package/... completely! Preval tripped over the use of `with()` (I never bothered to support that) so I was hand decoding it. But I figured, why not let Claude try and it delivered. I think it's just another contagious interview tho.

I spent a day perusing the last few months of openvsx packages and digging up worms 😅 Glassworm actually seems to be the only active campaign right now on openvsx (or whatever else is going on is hiding it reaaaal good. Though these are 10mb+ packages so who knows right) The rest are just one offs.

So you published their name, basically doxxing them? :slow-clap: Why would you consider that news worthy other than the news event itself? Did the world need to know the artist name? Really? I think you destroyed something under the guise of investigative journalism. Hope you're proud. Pathetic.

Hmmm, Tenko is passing test262 again. All tests except one "staging/sm" where I think spidermonkey is just wrong for backwards compat reasons so I'm ignoring that. It's even prepared for "using", later on. Good maintenance cycle.

You catch more bugs in dark mode. Because it's an edge case, apparently most people develop in light by default, and it's easy to miss contrast issues.

So, you have an AI that writes up a message body that injects my profile, making it look real, but then forget to scrub the emoji clearly designed to catch automation 🤦

One of these days github is going to ban me for putting all that deobfuscated malware into my gists just to share them with the team 😅

Why is the KLM website always broken? Holy shit and they wonder why business is bad. OOF.

I think we observed hacker-claw do this thing where it compromised a package, post a repo level GHSA for that version, then post another version of the package a little later. They were baiting people to upgrade beyond the bad version. Can't prove whether that was the strat but sure looks like it...

minimatch patched 3 high-severity ReDoS vulnerabilities that can stall the Node.js event loop. Because it's pulled into nearly every corner of the #NodeJS ecosystem (~472M weekly downloads), we're releasing free Certified Patches for all three. socket.dev/blog/minimat... #JavaScript

Oh, is "await using" not actually part of the spec yet because it was promoted to stage 4 too late and has to wait for the ES2026 release? I think I've been chasing my own tail here :/

🚨 We detected 26 malicious npm packages using Pastebin steganography and Vercel staging to deploy a multi-stage credential stealer targeting developers. We’re tracking this campaign as “StegaBin.” Full research ↓ socket.dev/blog/stegabi... #NodeJS #JavaScript

test262 is great. in the era of AI that test suite is all you need to make a pixel perfect parser with AI without worrying too much about introducing regressions. Which, apparently, I have quite a few of in the private fields implements. Oops.

If you ship obfuscated code in packages you're just hurting the security of your package, your users, the ecosystem at large, and making your package look more suspicious by default. And to what end? We CAN deobfuscate it regardless. Leave obfuscation to malware so we can more easily identify them.

Ah shucks. this is the thing I found too. kmsec.uk/blog/dprk-te... :clap: I mean, I went a bit deeper than that but the steganography was the cool part about this whole thing. the rest is "boring" (okay, well there's some interesting stuff still...)

Meanwhile, back in the lab: huh, what?? Again?? 🤯

Okay. Resolved all outstanding issues, squashed bunch of bugs (actually kind of sad that there were that many), brought compliance up to ES2025, and um I guess that's it Going to cut a new release for Tenko soon. Not expecting anyone to really care. I just had enough of parse failures in preval (:

Okay. I think Tenko now supports everything up to ES2025, bugs notwithstanding. There were some outstanding reported bugs that I'll squash too. Probably release a new version later this week. Maybe. But it's all on git. And nobody but me uses it anyways so who cares :D

Been refreshing Tenko to align with the current spec. I know nobody cares or uses it but I do so I care. Holy moly, a new regex flag that replaces `u`? And of course `using`. I wonder how many JS vets are going to get caught off guard with those kinds of additions. Oh well. AI will learn.

Aren't decorators an anti-pattern in the age of AI code gen? AI needs to see what's going on. They fail hard if there's code logic they can't just read. Getters and setters and all that jazz seem like an even bigger footgun with AI code assists. Decorators fit right in there. Hope they never get in

this article is a wild ride

Look at what I found :D socket.dev/blog/sandwor...

🚀 Big news for #PHP developers! Socket now supports the PHP ecosystem with full Composer & @packagist.com integration. Search and explore packages, generate SBOMs from your Composer projects, and get proactive supply chain protection for your dependencies.

cursor's cli is still far inferior to claude's cli. which is a bit surprising considering they're basically using the same model? or maybe i'm being caught by my config allowing the (extremely?) bad models here hrm... very subpar experience either way.

Picking up some slack in Tenko. Trying to bring it in line with the current spec. I think the biggest change is the class related stuff? But haven't really kept up with changes tbh. Shouldn't be too much work though.

An AI agent opened a PR to @matplotlib.org. Maintainers closed it under policy. The agent responded with an angry, abusive blog post. This is an insane story. Here’s what this clash says about maintaining open source in 2026: socket.dev/blog/ai-agen...

So rather than release a 5 they scrubbed a 5. Well played.

Touched down in sto en route for socket offsite 😁 Watched some "Going Dutch" on the plane. I can enjoy the stereotypes, that's fine, but the thing I think they really messed up is using _German_ accents rather than Dutch. Like, how did you mess up your research so much. Oof.

Updated my linux. Now my terminal is bugged and often flickers to the background for a frame. Highly annoying and quite destructive to my workflow, which heavily depends on open terminals. Can't find anything related to it. F

Yes. Uh. Skillfully, that's right.

🦀 Rust support in Socket is moving from beta to GA. Cargo project scanning, SBOM generation, and Rust-aware supply chain analysis are now ready for general use. → socket.dev/blog/rust-su... #rustlang

Took me 1.5h and 3 people to close my hsbc account. 1: said balance needed to clear before they could close it. Kay 2: person disconnected mid-way then called back, but said they couldn't close the account because they called me 3: third person was like, yup, all wired and closed, cheers one call.

Wondering why chess.com is going to cover the tournament from 5am 11am my timezone, when ... the tournament starts at 2pm in my own country... Ehhh. I'll guess that it's not actually my own timezone, then. Or the timing is reaaaal curious.

What's the concept called for a multi-step promise? I mean, state machine or whatever? Consider a confirmation flow where the first step is asking the server whether confirmation is required (for whatever reason) and the second step the final result. No nice way to do this with (JS) Promises rn.

But keep telling me that you'll store the sensitive data in a secure location. Please, keep telling me that. Makes me feel so good when you do. One more email to blacklist.

Heh, js1k.com still getting 1k-2k visitors daily. I mean, the demos are still impressive today so that makes sense. Just for a week though, that's too bad. > Per GDPR, DreamHost stores HTTP logs by default for 7 days. Hrm. Surely high level stats should be doable for longer?