No more JavaScript, it's clear y'all can't be trusted with it.
-
@huronbikes @darfplatypus The problem lies with npm postinstall, as soon as we all collectively agree to use a package manager that doesn’t run a postinstall script of any dependency you install, this goes away.
Pnpm bun idk.
@lil5 @darfplatypus *stares in lpad incident from 10 years back from which nothing of value was learned*
-
@lil5 @darfplatypus *stares in lpad incident from 10 years back from which nothing of value was learned*
@huronbikes @darfplatypus omfg it’s been that long
npm Blog Archive: Package install scripts vulnerability
npm Blog (Archive); updates from the npm team are now published on the GitHub Blog and the GitHub Changelog
(blog.npmjs.org)
Looks at published date: March 25th, 2016 10:16pm
-
@huronbikes @darfplatypus omfg it’s been that long
npm Blog Archive: Package install scripts vulnerability
npm Blog (Archive); updates from the npm team are now published on the GitHub Blog and the GitHub Changelog
(blog.npmjs.org)
Looks at published date: March 25th, 2016 10:16pm
-
No more JavaScript, it's clear y'all can't be trusted with it. I'm turning it off.
@darfplatypus Yay!!!!
-
No more JavaScript, it's clear y'all can't be trusted with it. I'm turning it off.
@darfplatypus go screw yourself, AL HAIL SAINT JAVASCRIPT
-
No more JavaScript, it's clear y'all can't be trusted with it. I'm turning it off.
@darfplatypus (pauses with a spoonful of JavaScript halfway to mouth) (tries to hide the rest of the bowl behind back) it's just lucky charms
-
@huronbikes @darfplatypus The problem lies with npm postinstall, as soon as we all collectively agree to use a package manager that doesn’t run a postinstall script of any dependency you install, this goes away.
Pnpm bun idk.
@lil5 @huronbikes @darfplatypus what's great is that afaik you can turn off postinstall on most of these package managers
hell, most even introduced options to set a window where it won't update to the latest package if a release is within the time window.
-
No more JavaScript, it's clear y'all can't be trusted with it. I'm turning it off.
@darfplatypus From my cold dead SSDs
-
No more JavaScript, it's clear y'all can't be trusted with it. I'm turning it off.
-
@lil5 @huronbikes @darfplatypus what's great is that afaik you can turn off postinstall on most of these package managers
hell, most even introduced options to set a window where it won't update to the latest package if a release is within the time window.
@novet @huronbikes @darfplatypus
I’ve really enjoyed pnpm and deno they’re both great indeed
-
E em0nm4stodon@infosec.exchange shared this topic
-
No more JavaScript, it's clear y'all can't be trusted with it. I'm turning it off.
@darfplatypus can you turn ai off while you are at it?
-
No more JavaScript, it's clear y'all can't be trusted with it. I'm turning it off.
-
No more JavaScript, it's clear y'all can't be trusted with it. I'm turning it off.
@darfplatypus better be safe and cut the plug off
-
No more JavaScript, it's clear y'all can't be trusted with it. I'm turning it off.
@darfplatypus This is long overdue and I applaud your willingness to take this needful corrective action.
-
@novet @huronbikes @darfplatypus
I’ve really enjoyed pnpm and deno they’re both great indeed
@lil5 @huronbikes @darfplatypus a group im part of are just starting a migration from bun to deno. am not really involved but it seems like the best option currently.
-
R relay@relay.infosec.exchange shared this topic
