silverwind·vorgestern·discussYes, tsconfig is a mess to scope. It needs a re-design to allow glob-based matching for all options and in typescript instead of jsonc.
silverwind·vor 3 Tagen·discussSeems they not running these agents with the same permissions of the user prompting them, what a disaster.
silverwind·vor 9 Tagen·discussI think tsdown is much better suited for CLI and library builds. Vite has many web-isms that don't matter for these.
silverwind·letzten Monat·discussYeah, a missed opportunity. But I'm sure such a compiler will eventually arise.
silverwind·vor 2 Monaten·discussTrue, sometimes a Claude answer is so on the spot, it'd a waste to not post it alongside your short summary.
silverwind·vor 2 Monaten·discussPR spam is a major problems for repo that run bounties. Maybe GitHub should temporarily block accounts from raising PRs if like 95%+ of them are getting rejected.
silverwind·vor 2 Monaten·discussKnowing them, I expect a release probably next week, have fun in production with it.
silverwind·vor 2 Monaten·discussIt'll always be a cat-and-mouse game. If npm adds protections, it'll only yield false-positives and workarounds will be trivial.
silverwind·vor 2 Monaten·discussAlmost all these recent compromises seem to involve either cache poisoning or prompt injection via untrusted variables.
silverwind·vor 2 Monaten·discussI think it's just a case of brain drain, followed by reckless AI adoption which both drove the quality down.
silverwind·vor 2 Monaten·discussAll those forks turned out to be inferior projects with substantially less contributions than the originals.
silverwind·vor 2 Monaten·discussIt's definitely helpful to know whether a PR was AI-assisted or not and the git attribution line is a simple and effective way of communicating that.I also recommend specifying model name and version so the maintainer knows upfront the level of slop they are dealing with.
silverwind·vor 2 Monaten·discussI'm going even simpler, just bare docker with a idempotent bash wrapper.
silverwind·vor 2 Monaten·discussProblem with Go is the type system is rudimentary, so you can't "restrict" AIs as well as you could in Typescript.
silverwind·vor 2 Monaten·discusshttps://www.typescriptlang.org/tsconfig/#erasableSyntaxOnly covers them all, I strongly recommend running with that option enabled to be future-proof.
silverwind·vor 2 Monaten·discussMaybe now people can stop blaming npm and realize none of these unreviewed package ecosystem are safe.