HackerTrans
TopNewTrendsCommentsPastAskShowJobs

theodorejb

no profile record

Submissions

MySQL 9.7.0 LTS

blogs.oracle.com
3 points·by theodorejb·3 miesiące temu·0 comments

The Operational Cost of Vacuuming in PostgreSQL

mariadb.org
2 points·by theodorejb·4 miesiące temu·0 comments

New Era of MySQL Community Engagement

blogs.oracle.com
1 points·by theodorejb·5 miesięcy temu·0 comments

KeePassXC 2.7.11 Released

keepassxc.org
4 points·by theodorejb·8 miesięcy temu·0 comments

PHP 8.5 Released

php.net
16 points·by theodorejb·8 miesięcy temu·4 comments

Alchemy

joshcollinsworth.com
1 points·by theodorejb·8 miesięcy temu·0 comments

comments

theodorejb
·7 dni temu·discuss
Instead of questioning whether the Big Bang assumption is true, astrophysicists prefer to perform endless "gymnastics" to try to make the mounting contrary data fit their theory about how the universe began.
theodorejb
·w zeszłym miesiącu·discuss
Only if the union is against the unethical request. In some cases the union may be for it, which makes it even harder to push back.
theodorejb
·w zeszłym miesiącu·discuss
You don't need to join a union to push back against unethical feature requests.
theodorejb
·2 miesiące temu·discuss
I've been building PHP Handlebars, a spec-compliant implementation of Handlebars in pure PHP:

https://github.com/devtheorem/php-handlebars

I've also been developing Cropt, a zero-dependency JavaScript image cropper which works great for cropping and scaling profile images before upload:

https://devtheorem.github.io/cropt/
theodorejb
·3 miesiące temu·discuss
This can be done with curl_multi_exec(), or with $client->getAsync() in Guzzle.

https://www.php.net/manual/en/function.curl-multi-exec.php

https://docs.guzzlephp.org/en/stable/quickstart.html#concurr...
theodorejb
·4 miesiące temu·discuss
In my petrol-powered Prius I average 52 MPG, so at the current price of gas ($2.60/gallon) I pay $0.50 to drive 10 miles - less than the listed cost to drive an electric car the same distance.
theodorejb
·5 miesięcy temu·discuss
How would the photosensitivity and wiring to muscles come about at the same time?
theodorejb
·5 miesięcy temu·discuss
What benefit is an eye unless there is also the capability of processing and using the information? How would both evolve simultaneously?
theodorejb
·7 miesięcy temu·discuss
According to the timeline it took more than a week just for Filevine to respond saying they would review and fix the vulnerability. It was 24 days after initial disclosure when he confirmed the fix was in place.
theodorejb
·8 miesięcy temu·discuss
My guess would be so they don't have to embed an IP address or hostname in the malware to send secrets to, which could then be blocked or taken down.
theodorejb
·8 miesięcy temu·discuss
Someone could be tricked into giving their npm credentials to the attacker (e.g. via a phishing email), and then the attacker publishes new versions of their packages with the malicious diff. Then when the infected packages are installed, npm runs the malicious preinstall script which harvests secrets from the new machine, and if these include an npm token the worm can see which packages it has access to publish, and infect them too to continue spreading.
theodorejb
·8 miesięcy temu·discuss
I can testify that steamed stingy nettles with gomasio (toasted sesame seeds and salt) is very delicious.
theodorejb
·8 miesięcy temu·discuss
One option to make it a little safer is to add ignore-scripts=true to a .npmrc file in your project root. Lifestyle scripts then won't run automatically. It's not as nice as Pnpm or Bun, though, since this also prevents your own postinstall scripts from running (not just those of dependencies), and there's no way to whitelist trusted packages.
theodorejb
·8 miesięcy temu·discuss
Bun also doesn't execute lifestyle scripts by default, except for a customizable whitelist of trusted dependencies:

https://bun.com/docs/guides/install/trusted
theodorejb
·8 miesięcy temu·discuss
I would expect to be able to download a package and then inspect the code before I decide to import/run any of the package files. But npm by default will run arbitrary code in the package before developers have a chance to inspect it, which can be very surprising and dangerous.
theodorejb
·9 miesięcy temu·discuss
> Human cognition was basically bruteforced by evolution

This is an assumption, not a fact. Perhaps human cognition was created by God, and our minds have an essential spiritual component which cannot be reproduced by a purely physical machine.
theodorejb
·10 miesięcy temu·discuss
Yes it does, since the ignore-scripts option is not enabled by default.
theodorejb
·10 miesięcy temu·discuss
Many people have non-JS backends and only use npm for frontend dependencies. If a postinstall script runs in a dev or build environment it could get access to a lot of things that wouldn't be available when the package is imported in a browser or other production environment.
theodorejb
·10 miesięcy temu·discuss
In my experience, packages which legitimately require a postinstall script to work correctly are very rare. For the apps I maintain, esbuild is the only dependency which benefits from a postinstall script to slightly improve performance (though it still works without the script). So there's no scaling issue adding one or two packages to a whitelist if desired.
theodorejb
·10 miesięcy temu·discuss
It's crazy to me that npm still executes postinstall scripts by default for all dependencies. Other package managers (Pnpm, Bun) do not run them for dependencies unless they are added to a specific allow-list. Composer never runs lifecycle scripts for dependencies.

This matters because dependencies are often installed in a build or development environment with access to things that are not available when the package is actually imported in a browser or other production environment.