HackerTrans
TopNewTrendsCommentsPastAskShowJobs

theodorejb

no profile record

Submissions

MySQL 9.7.0 LTS

blogs.oracle.com
3 points·by theodorejb·3 bulan yang lalu·0 comments

The Operational Cost of Vacuuming in PostgreSQL

mariadb.org
2 points·by theodorejb·4 bulan yang lalu·0 comments

New Era of MySQL Community Engagement

blogs.oracle.com
1 points·by theodorejb·5 bulan yang lalu·0 comments

KeePassXC 2.7.11 Released

keepassxc.org
4 points·by theodorejb·8 bulan yang lalu·0 comments

PHP 8.5 Released

php.net
16 points·by theodorejb·8 bulan yang lalu·4 comments

Alchemy

joshcollinsworth.com
1 points·by theodorejb·8 bulan yang lalu·0 comments

comments

theodorejb
·7 hari yang lalu·discuss
Instead of questioning whether the Big Bang assumption is true, astrophysicists prefer to perform endless "gymnastics" to try to make the mounting contrary data fit their theory about how the universe began.
theodorejb
·bulan lalu·discuss
Only if the union is against the unethical request. In some cases the union may be for it, which makes it even harder to push back.
theodorejb
·bulan lalu·discuss
You don't need to join a union to push back against unethical feature requests.
theodorejb
·2 bulan yang lalu·discuss
I've been building PHP Handlebars, a spec-compliant implementation of Handlebars in pure PHP:

https://github.com/devtheorem/php-handlebars

I've also been developing Cropt, a zero-dependency JavaScript image cropper which works great for cropping and scaling profile images before upload:

https://devtheorem.github.io/cropt/
theodorejb
·3 bulan yang lalu·discuss
This can be done with curl_multi_exec(), or with $client->getAsync() in Guzzle.

https://www.php.net/manual/en/function.curl-multi-exec.php

https://docs.guzzlephp.org/en/stable/quickstart.html#concurr...
theodorejb
·4 bulan yang lalu·discuss
In my petrol-powered Prius I average 52 MPG, so at the current price of gas ($2.60/gallon) I pay $0.50 to drive 10 miles - less than the listed cost to drive an electric car the same distance.
theodorejb
·5 bulan yang lalu·discuss
How would the photosensitivity and wiring to muscles come about at the same time?
theodorejb
·5 bulan yang lalu·discuss
What benefit is an eye unless there is also the capability of processing and using the information? How would both evolve simultaneously?
theodorejb
·7 bulan yang lalu·discuss
According to the timeline it took more than a week just for Filevine to respond saying they would review and fix the vulnerability. It was 24 days after initial disclosure when he confirmed the fix was in place.
theodorejb
·8 bulan yang lalu·discuss
My guess would be so they don't have to embed an IP address or hostname in the malware to send secrets to, which could then be blocked or taken down.
theodorejb
·8 bulan yang lalu·discuss
Someone could be tricked into giving their npm credentials to the attacker (e.g. via a phishing email), and then the attacker publishes new versions of their packages with the malicious diff. Then when the infected packages are installed, npm runs the malicious preinstall script which harvests secrets from the new machine, and if these include an npm token the worm can see which packages it has access to publish, and infect them too to continue spreading.
theodorejb
·8 bulan yang lalu·discuss
I can testify that steamed stingy nettles with gomasio (toasted sesame seeds and salt) is very delicious.
theodorejb
·8 bulan yang lalu·discuss
One option to make it a little safer is to add ignore-scripts=true to a .npmrc file in your project root. Lifestyle scripts then won't run automatically. It's not as nice as Pnpm or Bun, though, since this also prevents your own postinstall scripts from running (not just those of dependencies), and there's no way to whitelist trusted packages.
theodorejb
·8 bulan yang lalu·discuss
Bun also doesn't execute lifestyle scripts by default, except for a customizable whitelist of trusted dependencies:

https://bun.com/docs/guides/install/trusted
theodorejb
·8 bulan yang lalu·discuss
I would expect to be able to download a package and then inspect the code before I decide to import/run any of the package files. But npm by default will run arbitrary code in the package before developers have a chance to inspect it, which can be very surprising and dangerous.
theodorejb
·9 bulan yang lalu·discuss
> Human cognition was basically bruteforced by evolution

This is an assumption, not a fact. Perhaps human cognition was created by God, and our minds have an essential spiritual component which cannot be reproduced by a purely physical machine.
theodorejb
·10 bulan yang lalu·discuss
Yes it does, since the ignore-scripts option is not enabled by default.
theodorejb
·10 bulan yang lalu·discuss
Many people have non-JS backends and only use npm for frontend dependencies. If a postinstall script runs in a dev or build environment it could get access to a lot of things that wouldn't be available when the package is imported in a browser or other production environment.
theodorejb
·10 bulan yang lalu·discuss
In my experience, packages which legitimately require a postinstall script to work correctly are very rare. For the apps I maintain, esbuild is the only dependency which benefits from a postinstall script to slightly improve performance (though it still works without the script). So there's no scaling issue adding one or two packages to a whitelist if desired.
theodorejb
·10 bulan yang lalu·discuss
It's crazy to me that npm still executes postinstall scripts by default for all dependencies. Other package managers (Pnpm, Bun) do not run them for dependencies unless they are added to a specific allow-list. Composer never runs lifecycle scripts for dependencies.

This matters because dependencies are often installed in a build or development environment with access to things that are not available when the package is actually imported in a browser or other production environment.