HackerTrans
トップ新着トレンドコメント過去質問紹介求人

theodorejb

no profile record

投稿

MySQL 9.7.0 LTS

blogs.oracle.com
3 ポイント·投稿者 theodorejb·3 か月前·0 コメント

The Operational Cost of Vacuuming in PostgreSQL

mariadb.org
2 ポイント·投稿者 theodorejb·4 か月前·0 コメント

New Era of MySQL Community Engagement

blogs.oracle.com
1 ポイント·投稿者 theodorejb·5 か月前·0 コメント

KeePassXC 2.7.11 Released

keepassxc.org
4 ポイント·投稿者 theodorejb·8 か月前·0 コメント

PHP 8.5 Released

php.net
16 ポイント·投稿者 theodorejb·8 か月前·4 コメント

Alchemy

joshcollinsworth.com
1 ポイント·投稿者 theodorejb·8 か月前·0 コメント

コメント

theodorejb
·7 日前·議論
Instead of questioning whether the Big Bang assumption is true, astrophysicists prefer to perform endless "gymnastics" to try to make the mounting contrary data fit their theory about how the universe began.
theodorejb
·先月·議論
Only if the union is against the unethical request. In some cases the union may be for it, which makes it even harder to push back.
theodorejb
·先月·議論
You don't need to join a union to push back against unethical feature requests.
theodorejb
·2 か月前·議論
I've been building PHP Handlebars, a spec-compliant implementation of Handlebars in pure PHP:

https://github.com/devtheorem/php-handlebars

I've also been developing Cropt, a zero-dependency JavaScript image cropper which works great for cropping and scaling profile images before upload:

https://devtheorem.github.io/cropt/
theodorejb
·3 か月前·議論
This can be done with curl_multi_exec(), or with $client->getAsync() in Guzzle.

https://www.php.net/manual/en/function.curl-multi-exec.php

https://docs.guzzlephp.org/en/stable/quickstart.html#concurr...
theodorejb
·4 か月前·議論
In my petrol-powered Prius I average 52 MPG, so at the current price of gas ($2.60/gallon) I pay $0.50 to drive 10 miles - less than the listed cost to drive an electric car the same distance.
theodorejb
·5 か月前·議論
How would the photosensitivity and wiring to muscles come about at the same time?
theodorejb
·5 か月前·議論
What benefit is an eye unless there is also the capability of processing and using the information? How would both evolve simultaneously?
theodorejb
·7 か月前·議論
According to the timeline it took more than a week just for Filevine to respond saying they would review and fix the vulnerability. It was 24 days after initial disclosure when he confirmed the fix was in place.
theodorejb
·8 か月前·議論
My guess would be so they don't have to embed an IP address or hostname in the malware to send secrets to, which could then be blocked or taken down.
theodorejb
·8 か月前·議論
Someone could be tricked into giving their npm credentials to the attacker (e.g. via a phishing email), and then the attacker publishes new versions of their packages with the malicious diff. Then when the infected packages are installed, npm runs the malicious preinstall script which harvests secrets from the new machine, and if these include an npm token the worm can see which packages it has access to publish, and infect them too to continue spreading.
theodorejb
·8 か月前·議論
I can testify that steamed stingy nettles with gomasio (toasted sesame seeds and salt) is very delicious.
theodorejb
·8 か月前·議論
One option to make it a little safer is to add ignore-scripts=true to a .npmrc file in your project root. Lifestyle scripts then won't run automatically. It's not as nice as Pnpm or Bun, though, since this also prevents your own postinstall scripts from running (not just those of dependencies), and there's no way to whitelist trusted packages.
theodorejb
·8 か月前·議論
Bun also doesn't execute lifestyle scripts by default, except for a customizable whitelist of trusted dependencies:

https://bun.com/docs/guides/install/trusted
theodorejb
·8 か月前·議論
I would expect to be able to download a package and then inspect the code before I decide to import/run any of the package files. But npm by default will run arbitrary code in the package before developers have a chance to inspect it, which can be very surprising and dangerous.
theodorejb
·9 か月前·議論
> Human cognition was basically bruteforced by evolution

This is an assumption, not a fact. Perhaps human cognition was created by God, and our minds have an essential spiritual component which cannot be reproduced by a purely physical machine.
theodorejb
·10 か月前·議論
Yes it does, since the ignore-scripts option is not enabled by default.
theodorejb
·10 か月前·議論
Many people have non-JS backends and only use npm for frontend dependencies. If a postinstall script runs in a dev or build environment it could get access to a lot of things that wouldn't be available when the package is imported in a browser or other production environment.
theodorejb
·10 か月前·議論
In my experience, packages which legitimately require a postinstall script to work correctly are very rare. For the apps I maintain, esbuild is the only dependency which benefits from a postinstall script to slightly improve performance (though it still works without the script). So there's no scaling issue adding one or two packages to a whitelist if desired.
theodorejb
·10 か月前·議論
It's crazy to me that npm still executes postinstall scripts by default for all dependencies. Other package managers (Pnpm, Bun) do not run them for dependencies unless they are added to a specific allow-list. Composer never runs lifecycle scripts for dependencies.

This matters because dependencies are often installed in a build or development environment with access to things that are not available when the package is actually imported in a browser or other production environment.