HackerTrans
TopNewTrendsCommentsPastAskShowJobs

theodorejb

no profile record

Submissions

MySQL 9.7.0 LTS

blogs.oracle.com
3 points·by theodorejb·3 mesi fa·0 comments

The Operational Cost of Vacuuming in PostgreSQL

mariadb.org
2 points·by theodorejb·4 mesi fa·0 comments

New Era of MySQL Community Engagement

blogs.oracle.com
1 points·by theodorejb·5 mesi fa·0 comments

KeePassXC 2.7.11 Released

keepassxc.org
4 points·by theodorejb·8 mesi fa·0 comments

PHP 8.5 Released

php.net
16 points·by theodorejb·8 mesi fa·4 comments

Alchemy

joshcollinsworth.com
1 points·by theodorejb·8 mesi fa·0 comments

comments

theodorejb
·7 giorni fa·discuss
Instead of questioning whether the Big Bang assumption is true, astrophysicists prefer to perform endless "gymnastics" to try to make the mounting contrary data fit their theory about how the universe began.
theodorejb
·mese scorso·discuss
Only if the union is against the unethical request. In some cases the union may be for it, which makes it even harder to push back.
theodorejb
·mese scorso·discuss
You don't need to join a union to push back against unethical feature requests.
theodorejb
·2 mesi fa·discuss
I've been building PHP Handlebars, a spec-compliant implementation of Handlebars in pure PHP:

https://github.com/devtheorem/php-handlebars

I've also been developing Cropt, a zero-dependency JavaScript image cropper which works great for cropping and scaling profile images before upload:

https://devtheorem.github.io/cropt/
theodorejb
·3 mesi fa·discuss
This can be done with curl_multi_exec(), or with $client->getAsync() in Guzzle.

https://www.php.net/manual/en/function.curl-multi-exec.php

https://docs.guzzlephp.org/en/stable/quickstart.html#concurr...
theodorejb
·4 mesi fa·discuss
In my petrol-powered Prius I average 52 MPG, so at the current price of gas ($2.60/gallon) I pay $0.50 to drive 10 miles - less than the listed cost to drive an electric car the same distance.
theodorejb
·5 mesi fa·discuss
How would the photosensitivity and wiring to muscles come about at the same time?
theodorejb
·5 mesi fa·discuss
What benefit is an eye unless there is also the capability of processing and using the information? How would both evolve simultaneously?
theodorejb
·7 mesi fa·discuss
According to the timeline it took more than a week just for Filevine to respond saying they would review and fix the vulnerability. It was 24 days after initial disclosure when he confirmed the fix was in place.
theodorejb
·8 mesi fa·discuss
My guess would be so they don't have to embed an IP address or hostname in the malware to send secrets to, which could then be blocked or taken down.
theodorejb
·8 mesi fa·discuss
Someone could be tricked into giving their npm credentials to the attacker (e.g. via a phishing email), and then the attacker publishes new versions of their packages with the malicious diff. Then when the infected packages are installed, npm runs the malicious preinstall script which harvests secrets from the new machine, and if these include an npm token the worm can see which packages it has access to publish, and infect them too to continue spreading.
theodorejb
·8 mesi fa·discuss
I can testify that steamed stingy nettles with gomasio (toasted sesame seeds and salt) is very delicious.
theodorejb
·8 mesi fa·discuss
One option to make it a little safer is to add ignore-scripts=true to a .npmrc file in your project root. Lifestyle scripts then won't run automatically. It's not as nice as Pnpm or Bun, though, since this also prevents your own postinstall scripts from running (not just those of dependencies), and there's no way to whitelist trusted packages.
theodorejb
·8 mesi fa·discuss
Bun also doesn't execute lifestyle scripts by default, except for a customizable whitelist of trusted dependencies:

https://bun.com/docs/guides/install/trusted
theodorejb
·8 mesi fa·discuss
I would expect to be able to download a package and then inspect the code before I decide to import/run any of the package files. But npm by default will run arbitrary code in the package before developers have a chance to inspect it, which can be very surprising and dangerous.
theodorejb
·9 mesi fa·discuss
> Human cognition was basically bruteforced by evolution

This is an assumption, not a fact. Perhaps human cognition was created by God, and our minds have an essential spiritual component which cannot be reproduced by a purely physical machine.
theodorejb
·10 mesi fa·discuss
Yes it does, since the ignore-scripts option is not enabled by default.
theodorejb
·10 mesi fa·discuss
Many people have non-JS backends and only use npm for frontend dependencies. If a postinstall script runs in a dev or build environment it could get access to a lot of things that wouldn't be available when the package is imported in a browser or other production environment.
theodorejb
·10 mesi fa·discuss
In my experience, packages which legitimately require a postinstall script to work correctly are very rare. For the apps I maintain, esbuild is the only dependency which benefits from a postinstall script to slightly improve performance (though it still works without the script). So there's no scaling issue adding one or two packages to a whitelist if desired.
theodorejb
·10 mesi fa·discuss
It's crazy to me that npm still executes postinstall scripts by default for all dependencies. Other package managers (Pnpm, Bun) do not run them for dependencies unless they are added to a specific allow-list. Composer never runs lifecycle scripts for dependencies.

This matters because dependencies are often installed in a build or development environment with access to things that are not available when the package is actually imported in a browser or other production environment.