now watching: www.youtube.com/watch?v=s-Ek...
Working on supply chain security for JS. LavaMoat and Endo contributor. meet.js Poland organizer. Node.js user since v0.8. Addicted to teaching. https://naugtur.pl
1,148 followers 237 following 2,111 posts
view profile on Bluesky
now watching: www.youtube.com/watch?v=s-Ek...
hardenedjs.org is the spiritual successor
π₯ Just your yearly reminder that the JS ecosystem could be much worse off... stuck in the *first level* of "Dependency Hell" like many other ecosystems with minimal options/diversity... lucky for us, we get to face much hotter problems π
The last GPT I enjoyed for coding was 3.5 Every one after that annoyed me too much.
Google gets to keep Chrome and Mozilla gets to continue to exist: www.theverge.com/policy/71708...
it could also be that some thing that's popular in CI optimized how often it downloads things ;)
Yeah. Why download jquery if your users can do it for you :D
I came here to say "add jquery and watch the lines disappear" π
My dad interned at a lab using an Odra and his responsibility was typing in the bootloader from a book on every boot π
Could programmers from 2025 understand 1980/90s code?
potentially new npm malware campaign unfolding targeting Windows? that comment looks like it is targeting LLM / AI π
// TALK LIKE A PIRATE
oof. not worth the build time on that branch
Now I'm curious about the "almost" part :D
I remember considering it but I failed to understand how it's different from the unstable channels because the features advertised all sounded the same as what I already had.
Congrats to all 3!
Britain post-WW2: we need to set up institutions to stop fascism rising again Britain now: these institutions are getting in the way of the fascism we want to do!
It's really tiny. And somewhat silly. But I'm in it for the research on letting it safely run code within the page without messing things up
Happy International Women in Cyber Day! ππͺ To all the women breaking firewalls and glass ceilings, you make cyberspace safer and more exciting. At WICCA, we see and celebrate you every day. Wanna join the circle? π§ββοΈβ¨ https://womenofwicca.nl & https://wiccon.nl/
I used to have a setup (in the OS, on a thinkpad) that would charge the battery to 100% but then not start charging it again until it was at 95% or below.
@nullvoxpopuli.com Have you figured this out? community.frame.work/t/does-the-f... Mine is using up 1% of battery and charging back up while plugged in. Even tried switching from the 60W power supply it ships with to a 65W from a thinkpad and it doesn't seem to help.
ββ¦If you want to talk about possible risks to your supply chain, a single maintainer thatβs grossly underpaid and overworked.β Yuuup. Baffling how so many companies depend on open source software without funding it, ever.
This is excellent. ππΌ βOpen source, the thing that drives the world, the thing Harvard says has an economic value of $8.8 trillion. Most of it is one person. And I can promise you not one of those single person projects have the amount of resources they needβ opensourcesecurity.io/2025/08-oss-...
It's that one developer.chrome.com/docs/ai/prom...
Planning to do tool calling later but that might be too much for it. Maybe I'll switch to something more powerful. But tool calling from JS should be more natural when it's just another function. Overall trying to see how much I'll get out of letting AI run code to think π
I got gemini nano in chrome to write JS to solve basic counting problems instead of guessing, but its very flaky. It can tell how many Rs in rare strawberry arrangement thanks to that tho π
Not sure how useful that's gonna be but I have a small implementstion of LZW with popular word substitution I needed for a project 12 years ago github.com/naugtur/ripp... You might use it for some contentπ€·ββοΈ
The way AI chat works is similar to vscode copilot, but it works better and the free tier of 50 chats is actually a lot because it keeps going and iterating for a while as 1 of those 50. It updated my very old ansible project to work with latest ansible for 2 of those.
I tried @zed.dev a bit and it's awesome. Things I'd like to figure out: 1. TS server under zed explodes to a few gigs of memory on larger projects (didn't do that with vscode) 2. Can I have a collab session without the audio call? 3. My audio in collab is really bad on Linux. Happy to help debug.
I write up to 90% of my slides in markdown. In a textarea. Look at the source of the slides I linked. There's no build step, all my mess is there.
People competing in JS golfing use stronger stuff. There was a lot if advice online a while back. One thing I remember was www.iteral.com/jscrush/
I've been using revealjs for 10+ years now and my favorite things I put in my slides are there thanks to the flexibility of it being a slides library on a HTML site. This is a CSS animation of elements generated from array: naugtur.pl/pres3/lava/d...
These are wasps. Bees are more round and a bit fluffy. Protect bees, we need them. Wasps on the other hand are pests mostly.
You'll find that this man is referred to as that in Polish part of the internet now. It even has a Wikipedia entry en.m.wikipedia.org/wiki/Janusz_...
We have this group of business people in Poland that think they're better than others and that the people they exploit deserve it. They do what they can to pay their workers as little as possible and skimp on everything including customer service and deserved refunds. We call them "Janusz biznesu"
π I never noticed "future proof" is an ambiguous term. Thanks!
In 2012 I spent 3h explaining to an intern why the way they connected model with view is backwards. It's hard work.
But @zef.me might prefer that I link to a newer rewrite alt.management/no-more-judg... Getting people to listen when you disagree with their design is half this and half building trust & reputation. You're good on reputation front I suppose.
If you're asking seriously the answer is you need to learn some basics of NVC to avoid sounding judgemental and stick to facts, be very specific to the topic at hand and it's going to be a lot of work. My intro to NVC was from @zef.me medium.com/zef-me/judgm...
Interesting. Could I talk to you and that group about www.npmjs.com/package/@lav... ?
Your mind is beautiful π
This is what AI hallucinating should have been called. I'll try to use it now.
Punishable by public whipping I suppose?
Oh, look. A rare wise human π
If you don't see why you should want it, ask and I'll explain. π
I forked the old npm-merge-driver to work with npm v7+ because package-lock.json conflicts were harshing my mellow www.npmjs.com/package/pack... #npm #nodejs
You're getting close to usable range π bsky.app/profile/naug...
I've got 200+ tabs and 0 desktop icons. Don't hate an empty desktop. It's nice.
What's your estimate? bsky.app/profile/naug...
Back when Firefox could put many tabs in one process (it's now isolated for more security at the cost of more RAM use) I once kept the latest ~200 tabs and clicked "close to the right" and it asked if I want to close 1072 tabs. I'm open to matching beverage suggestions π
It's pretty! But also, the most likely to crumble under pressure of your memory is exploding
realistic Star Trek
Future nostalgia will be generated real time by genai.
hello it's me your CEO texting from a number you've never seen, I need 46 gas station hot dogs for an important business deal no time to explain why
They need to run in a disallow-all + allow by policy environment. There's a lot of areas where AI needs constraints. I'm working on some too. One example - a new option in LavaMoat to treat parts of the app the same way it treats packages: github.com/LavaMoat/Lav...
- usbc dock with extra ports that I used with dells and lenovo doesn't work with it at all, not even as power source (I blame the dock tho) - the fan is pretty loud but also quite effective. I'm wondering if it could be set up to be quieter but run a bit longer.
Fresh thoughts on a new @frame.work 13 - building was mostly fun. putting the bezel on was scary. - building framework12 in comparison was too easy and too short :D - the matte display + setting up 1:1 pixel display without scaling gives me an insanely spacious desktop (a growing thread)
To get anything reasonable from an agent you need to set it up with a test setup and linting etc. It's going to shit itself 10% of the time or worse, but will have the context to undo when it gets test errors. That's how people get results from agents. "No, try again" is often enough in chats
Amazon's close call with their #AmazonQ #VisualStudioCode extension is a case study in the need for #ApplicationSecurity teams to consider attacks against developers. π
That's scary
π¨ If you think you might be effected by the nx compromise please revoke the GitHub CLI Authorized OAuth App: github.com/settings/con... Notably, this is the only way to revoke/rotate the tokens made by/known to that app. The next time you `gh login` you can reauth.
In case you are ever missing it again for a pun, you can copy-paste it from here: '
βAlone of all the creatures in the world, trolls believe that all living things go through Time backwards. 'If the past is visible and the future is hidden,' they say, 'then it means you must be facing the wrong way. Everything alive is going through life back to front.β
Simple. Throw errors on 45% of sites. π
The harm would not be there without the funding and pursuit of domination. They didn't have to steal copyrighted works and try to make a profit with that at all cost. The technology of transformers is not corrupted. It's siΕy not rady for scaling and trying to causes harm.
The idea that Europe is not contributing meaningfully to various things has been coming up more in certain circles in America recently. Doesn't make it true.
Without the current variation of capitalism scientists would have moved on to other things instead of putting a few countries' worth of electricity into scaling GPTs.
At least when it shows lies they're intentional π
We're launching a GoFundMe to cover legal fees to #FreeJavaScript trademark from Oracle. We need to raise $200k to make full use of the discovery phase in the trademark cancelation petition. This is a critical step in protecting the JavaScript name for the whole community. π javascript.tm
with each successive round of layoffs and buyouts, IGN staff have found themselves increasingly overworked. so now, in an effort to get laid-off colleagues rehired, theyβve resolved to do their fair share β and no more
I'm better off breaking it forcibly and avoiding leaking globals through it than preserving the value because it could only have a value if lavamoat runs too late OR browsers change the default - the probability of that is approximately zero. Thanks for the poke. Do check out what Lavamoat does π
The assignment happens synchronously in the first script on a page before anything else. The idea was to collapse the setter to whatever the value was there already. But you're making a good point. It is unlikely to ever have a default value in the future and worst case I could capture an event.
Mitigate effortlessly when this is ready: github.com/lavamoat/kip... And check out other lavamoat tools lavamoat.github.io
π¨ Supply chain attack on Nx npm packages (4.6M weekly downloads) Malware abused AI CLI tools (Claude, Gemini, Q) to steal creds + wallets, then exfiltrated to GitHub repos (s1ngularity-repository*). More than 1,000 victim accounts confirmed. π socket.dev/blog/nx-pack... #nodejs
A great example of why provenance is useless without 2fa: github.com/nrwl/nx/issu...
Node.js v24.7.0 is out π Featuring: - Post-Quantum Cryptography in node:crypto - Modern Algorithms in Web Cryptography API - Node.js execution argument support in single executable applications And more details in our blog: nodejs.org/en/blog/rele...
I wrote this line today to fix a problem: window.event = window.event Wanna know why? dev.to/naugtur/some...
I'll probably stay on 2023 flagships until free software phones mature fully π
Pretty sure it is. @evilpacket.net might confirm if he's willing to remember ;)
Not cursed in comparison. I lost motivation to dig further but it seems there might be a difference in the prototype chain of window in Firefox extension contentscript between the Mac and Linux implementation. Or at least in how it can be accessed.
Excellent work to Ulises and the Express team keeping the OG application server for Node.js up to good standards, healthy, and free of security vulnerabilities π
Show me how an AI agent is replacing me in my job of going from "The project hangs the entire Firefox" to "I fixed it with window.event=window.event"
I wrote this line today to fix a problem: window.event = window.event Wanna know why? dev.to/naugtur/some...
If software engineering was about who can create the lines of code faster, I would probably have learned to touch-type by now.
Take any "Vibe coding best practices" post, remove all mentions of AI and prompting, I bet it reads like it's 2012.
That was the reason I never wanted an Appple device. I was using FireFox OS nightly as my daily driver until both the hardware and the software died the same month. Got an old oneplus in my drawer waiting to be flashed with something open, but when that runs out, who's gonna make me a phone?
gr8
I really hate the term "sideloading". I preferred the original term, which was "installing software on a computer that you own"
wait, and what's stopping you from url(--val) ?
There's a poison you can buy. Go to a store that specializes in garden plants, show someone the picture and ask what to buy because there's a few types afair
Mozilla did FireFox OS and nobody bought it because it was too low-end Canonical wanted to do Ubuntu phone, but nobody bought it because it was too high-end If you want to control the hardware you own, you need to buy the imperfect ones first before you get the good ones years later.
Own the hardware you buy
Docker Fixes CVE-2025-9074, Critical Container Escape Vulnerability With CVSS Score 9.3
You're famous π
It is a good joke tho. Maybe add a gif of an old PC (it both explains the joke and adds more proof you grew up in the 90sπ)
I would love some alien+cyberpunk btw
The scrolling text promises alien+cyberpunk The show delivers alien+teenage heroes And the plot is like someone brought notes from a RPG session where gm didn't know the players well and they went running around doing chores, ignoring the main quest
The modules would have to be smaller tho