Depending on how you count, something like 96%, 94%, 65% or 87% of mainstream media employees lean left. Of course this matters less and less as customers tune out and their influence wanes.
Thanks for the link. However, a 7x size differential does not fully explain a 100x security incident differential -- although I'm sure it's part of it. Some of the root causes are very hard to address (e.g. a very limited standard library which encourages dependency explosions), some are just hard (e.g. established cultural norms around version pinning and upgrades, well-established reliance on install scripts) and some are easier (e.g. small tool improvements like min-release-age). I'm personally not going to touch npm with a ten foot pole in the next year or two, but I'd love to see significant improvement, so that I have that option again in 2 or 3 years. Stay safe!
Days since last malicious packages in NPM: 0 (evergreen)
Days since last malicious packages in PyPI: 30
Days since last malicious packages in Maven: 120
I'm sure this isn't 100% accurate, and there are probably better metrics (average number of malicious packages per year, average number of developers affected per year, etc) but they aren't as easy as a quick Google News search.
New PR: revert GitHub software and infrastructure to version of June 1st, 2018.
New PR: disable new user signups for 6 months
HR initiative: all future KPIs automatically require three-nines availability; all bonuses are forfeited, regardless of accomplishments, if annual availability falls below target
> The thing keeping maven safe for now is that most people pin [...] versions
Yes, and also the signing of JARs that are uploaded to the repository, and the fact that most release processes are not fully automated, and the batteries-included standard library which reduces the total number of dependencies, and the fact that a run-of-the-mill third-party library can't execute code at build time, and the very small number of people with credentials to publish new versions of major Maven plugins, etc.
There are npm supply chain exploits in the news every other day. I'm honestly surprised that something as decentralized as Go Modules is more reliable, but here we are. The fact that we're not seeing these stories about e.g. Maven is not at all surprising, given the limited need for third party libraries and the culture of careful upgrades in the Java ecosystem. If npm proponents want the ecosystem to survive, they need to demand / create better and stop making excuses.
The future may be distributed quite unevenly here, as they say, with a divergence between a small amount of "responsible" code in systems which leverage AI defensively, and a larger amount of vibe-coded / prompt-engineered code in systems which don't go through the extra trouble, and in fact create additional risk by cutting corners on human review. I personally know a lot of people using AI to create software faster, but none of them have created special security harnesses a la Mozilla (https://arstechnica.com/information-technology/2026/05/mozil...).
Disagree with so much here. But if, in your mind, the US is turning authoritarian, this is a "cut off your nose to spite your face" move. They should be taking the fight where it most needs fighting. They should not be making donors like myself question whether we still share objectives.
Where do you see that? All I see is a claim that it no longer makes sense from a financial standpoint (but no comparative numbers provided for the other platforms they are keeping, which is sus, especially given their presence on very niche platforms like Bluesky), and vague justifications based on identity politics and "community care" loci, which is either nonsense or deep argot unsuitable for the intended audience.
He's saying that they have ideological concerns beyond the ideological concerns you would tend to associate with the EFF (digital privacy, open source, patent trolling, etc). I for one am sad to see that this is the case. There are fewer and fewer organizations protecting civil rights without being dragged into left/right tribalism.