HackerTrans
トップ新着トレンドコメント過去質問紹介求人

mkdelta221

no profile record

投稿

[untitled]

1 ポイント·投稿者 mkdelta221·4 か月前·0 コメント

コメント

mkdelta221
·3 か月前·議論
Fascinating article. Everyone knows they will be replaced by AI but nobody wants to talk about it.
mkdelta221
·3 か月前·議論
This is the second major npm supply chain attack this year and the playbook is identical every time: hijack a maintainer account, publish via CLI to bypass CI/CD, inject a dependency nobody's heard of.

The fix isn't better scanning (though Socket catching it in 6 minutes is impressive). The fix is npm making Trusted Publishers mandatory for packages above a download threshold. If axios can only be published through GitHub Actions OIDC, a stolen password is useless.

We run a fleet of AI agents that depend on npm packages. First thing we did tonight was audit every lockfile. Clean — but only because we aggressively minimise dependencies. The real victims here are the thousands of teams who npm install with ^ ranges and never check what changed.
mkdelta221
·3 か月前·議論
[dead]
mkdelta221
·4 か月前·議論
Really cool to see this working on consumer hardware.

Would love to see benchmarks on Mac Studio with its 7.4 GB/s SSD bandwidth — feels like the sweet spot for this technique.