> as in its current state it wouldn’t prevent attacks such as Shai-Hulud and other recent ones. From our blog, almost like we knew. 🔮 openjsf.org/blog/publish...

"grok". He friggin ruined the perfectly great word "grok". What an asshole.

A lot of repos already have this information. Why are they being forced to put it in a different format in a different location for robots? Or did the robots get trained on human behavior to not read existing documentation? github.blog/ai-and-ml/un...

Node.js is actually good now. Opened a repo that has code that's probably some 7-8 years old, because it had a renovate PR for a while. Closed the renovate PR and instead removed 6 dependencies, replacing them with built-ins.

Not that anyone here needs to hear this, but for the record, in a democracy "people voted differently from the way I expected or hoped" does not constitute evidence of fraud, no matter how many pretty charts and graphs of "voting patterns" you make.

I see a lot of people here being smug about AWS having a major outage. 😞 What happened to #hugops?

I was going to say that staying in your neighborhood on a Saturday is not a protest, but a picnic. However that video 😲

To give some credit (I don’t mean to be so harsh) it is a series of *really deep* paper cuts. But the real ailment is internal bleeding, and neither bandaids (the right paper cut treatment) not the cast fix the problem. We need forced 2FA supported from CI.

Someone should make one of these giant frog style costumes that looks like an Irish Mammy. Then you can protest as Aunt Aoife.

Get a permanent access to publishing with a single factor as long as you publish from github but no 2fa totp for your setup that can't be stolen at scale.

Why are @github.com tokens allowed to have no expiry but @npmjs.bsky.social are about to make every IT team's lives a living hell? This is just more security theatre. Think harder @microsoft.com.

copilot is smarter than ever (we no longer have accurate counts of pull requests on the pull requests tab)

🚀 BIG NEWS: We just shipped @platformatic/python - run Python ASGI apps INSIDE your Node.js process! This changes everything for AI/ML + Node.js apps 🧵 youtu.be/8eAAP9IF4xA

Wha?! How is this even possible? Almost 1 GiB per day? I don't even watch the videos or anything.

Just received an SMS from an unknown number. Moments after, Google changed that to show me the first and last name of the person. How is this legal?

What are people using to track their reading these days? Goodreads, Storygraph? #reading

Will Github ever take spam detection seriously? Aka at all? They don't have even at the most basic blatant spam detection that any self-respecting email provider had 15 years ago, and now that we have AI you'd think it would be useful at least for this. Why do I have to keep doing this manually?

My assessment is that they're forcing people into Github Actions while not solving any of the recent problems? github.blog/security/sup...

How come verdaccio does not have a way to quarantine packages for a number of hours? Anyone tried building a plugin for that?

either npm with staged package publishes that you can only promote manually using 2FA, or GHA workflows being able to pause and enter info or visit a URL, yep

I guess it's time to start keeping some food stuffs in the car...

I spent some time reading posts on Reddit yesterday, tons of partial and misguided information. Everybody here seems to think that OICD is the golden ticket, but that’s also not the case.

come on can we have at least one nice thing

In a cryptographically verified communication system you mistrust anyone that has changed their encryption key until you have verified it out of bounds. In a multi-maintainer scenario like now, npm should require confirmation from at least one other maintainer if an account changes eg 2FA

Soooooooo... When are we starting attempts to claw back npm from Microsoft?

They said "before the end of summer" and they delivered 🥹 help.kobo.com/hc/en-us/art...

Automated threat detection be all like "A threat actor might use this command! Are you sure it's ok to use this command? Maybe don't use this command?" 🤬

Hold on, so nx did not have 2fa?

We did this great push to make sure JS related queries result in MDN being first on Google. Simultaneously, Google trained their users to ignore the first result (which is usually spam). And so I just observed a candidate going straight to W3Schools to look up the syntax for whatever they needed..

Where in the SBOM do you include the SLOP?

Truthiness. It's bloody truthiness all the way down. 20 years of truthiness in a couple of months! And look how it has grown up 🥹 pure, undistilled, industrial grade, weaponized truthiness. Probably deserves a celebration (aka getting drunk and crying a lot).

And still no 2fa workflow? This is *not* more secure than a human who uses 2fa. Cant put 2fa in front of a GHA run yet, and without a 3rd party you cannot do a 2fa for npm for publish. Instead of promoting security theater, please put pressure on @github.com to actually address the real problem.

copilot complained that the repo doesn't have copilot instructions on a comment **in the PR in which copilot is generating copilot instructions**, in case you wondered how the robot uprising is going

Thinking of getting IKEA kitchen furniture for my home office 🤔 At least I can get the stuff in the sizes and colors close to what I'd like to have them.

Opened up an old file today. It had a .clearfix class in there. Those were the days.

Have y'all gone on holidays or back to Twitter?

Heads up that v3.3.1 of npmjs.com/is has malware in it, due to another maintainer’s account being hijacked. They’re removed for now, v3.3.0 is set at latest, v3.3.1 is deprecated, and a v3.3.2 will be published once I’m not on my phone (thx @github.com codespaces)

Using LLM as a fancy autocomplete can be nice. They have improved and they get more things right. One thing they have not improved on is stopping. If I accepted your suggestion, and then stopped typing - maybe, just maybe, I now have enough of code. But nope, infinite paperclips need to be made.

I was traveling during the week, so had to wait until today to put this on to honor the author of this t-shirt. A lot of the success that was enabled in my life can be traced back to this.

The API is the UI for developers, it needs UX just as much as the graphical interface does. It's just lazy to suggest that the users are developers so they should be able to deal with the pain of navigating it. You should be making it easy for users, not yourselves.

Why do Bluesky sessions in the Android app expire so often? No other social network does that.

I JUST MET YOU THIS IS CRAZY HERE WE ARE NOW CALL ME MAYBE

Spent half a day trying to get ChatGPT to convert a PDF floor plan into a HomeAssistant config for toggling lights. Gave up in the end and just did it myself. In the Gartner Hype Cycle for AI, it feels like I'm going straight to Trough of Disillusionment. Probably not getting out of it either.

Imagine you'd need to give away this much of your privacy when buying milk 🤬 but clearly even with this number of competitors, the user experience is still not a priority. Oh how I'd love just tap my payment cart when I need a charge...

I'm using the same PromQL queries in Grafana dashboards, in Helm charts to drive scaling with KEDA and in Javascript to generate reports (where Grafana/Thanos/Prometheus simply can't handle the workload).

We have a cronjob to spot unwanted utf8 letters in #curl PRs as we have noticed that GitHub will gladly show the for example (identical) Cyrillic version of a letter next to the Latin version in a diff and it is yes, entirely impossible for a human to spot […] [Original post on mastodon.social]

Short thread about how I tripped and fell on a $1500 Cursor auth bypass (mostly because burp suite is rad)

Is there a small device that would try to connect to any network it can find and phone home for instructions? Thinking of building something fancier than the typical tags as an anti-theft measure. Does not need to be battery powered, although feeding off 220v would probably be bulky?

For the love of humanity, I don't understand if they meant this or if this is sarcasm. www.economist.com/finance-and-...