Sabitlenmiş Tweet
Rust
12.5K posts
Rust
@amureki
Software Engineer at https://t.co/kKULM3H3vT | OSS maintainer
Berlin, Germany Katılım Kasım 2009
386 Takip Edilen563 Takipçiler
@ppleqlshit @Marat_Galiev У меня друг будучи в Вене ищет работу с опытом на стеке Python/Typescript/Rust. Куда писать? :)
Русский
@dutch_dispatch Если пользователь при этом счастлив и двигает ползунок - проблема решена, причём без дорогих инженеров? :) А уязвимости сейчас везде есть, такой положняк. Если что, свалим на плохой AI. Ну и насколько страшно что взломают ползунок?
Русский
Наблюдаю рассвет вайбкодинга в неинженерном департаменте компании.
Сегодня мне показали ПРИЛОЖЕНИЕ которое по движению ползунка анимированно вычитает 20 из введенного пользователем числа. Чем дальше тянешь ползунок, тем больше раз вычетает.
Русский
I don't see at the moment how we can "manually" update dependency, since NPM does not allow package exclusion to the `min-release-age`: github.com/npm/cli/issues…
CVEs are still important to handle, and patches are being released regularly across all popular frameworks and packages.
English
@amureki @LowLevelTweets CVEs are more rare they could be manually updated per incident
English
I would go longer than 2 days, probably a week or two, but this is great advice
🇮🇹 Massimo De Luisa@massimodeluisa
Easier way to protect yourself (if you are not infected yet) is to set a minimum release age in your package manager. For @npmjs: `npm config set min-release-age=2d` For @pnpmjs: `pnpm config set minimumReleaseAge 2880` For @bunjavascript: ``` # In bunfig.toml [install] minimumReleaseAge = 172800 ``` For Yarn: `yarn config set npmMinimalAgeGate "48h"`
English
But dependency cooldowns have their own downsides, so we'd rather not do them blindly.
Imagine a maintainer creating a new release that addresses CVEs. Would we still wait 2, 3, or 7 days before installing it?
Maybe the better rule is to delay routine updates, but fast-track verified security fixes.
English
Yes, dependency cooldowns are a good one
x.com/jangiacomelli/…
Jan Giacomelli@jangiacomelli
@GergelyOrosz You could add a dependency cooldown. e.g., never install versions that are less than 1 week old. Also, I think that for more and more things, it makes more sense to simply implement it yourself. But that's not true for everything - e.g., building an HTTP server from scratch
English
Supply chain attacks are happening left and right with npm, PyPI and so many other places. It seems to be getting worse, everyone agrees.
But what can you do about it?
Some thoughts on possible approaches (all have tradeoffs).
What did I miss? And what vendors actually work?
English
Like what the actual F
>The main payload is a credential stealer, but it also includes country-aware logic; it avoids Russian-language environments and contains a geo fenced destructive branch that has 1-in-6 chance of executing rm -rf / when the system appears to be in Israel or Iran.
English
You were not ready for this, but vibe-slop now killed the whole .de zone.
Frank@jedisct1
All the .de domain names are currently offline due to a DNSSEC failure at DeNIC. dnsviz.net/d/de/dnssec/ - Yay, DNSSEC.
English
The AI race is simple now - whoever gets to 6.7 first wins
Pedro Duarte@peduarte
i wonder how long we can keep talking in numbers before it stops making sense 😆
English
TLDR: too much vibecoding
also, they've reset limits just now! FIrst time for how long?
ClaudeDevs@ClaudeDevs
Over the past month, some of you reported Claude Code's quality had slipped. We investigated, and published a post-mortem on the three issues we found. All are fixed in v2.1.116+ and we’ve reset usage limits for all subscribers.
English
Good lord, I'm glad we're actually at 96% (s4.5, not opus4.6-7), which means we can solve climate change and cure cancer.
But I'm a bit sad that AP from RL Labs can't even do multi-turn reasoning to dive into what they're commenting on.
Natasha Jaques@natashajaques
LLMs will supposedly solve climate change and cure cancer, but in fact they can't even do multi-turn reasoning tasks effectively (SOTA models are < 10% on this benchmark). Interestingly, this work directly compares how much extra performance you get when you add an agentic harness (figure 7): a lot for simple optimization problems, 0% for math and chemistry.
English
@moraes_c_ Huhu 👋
On Github notifications page, hover over the item to see a summary of the content for a quick look/action.
English
👋 I'm the PM on GitHub's Maintainer Love team, and we're focused on making your life easier.
If you could wave a magic wand, what is the #1 feature you'd want us to ship? No idea is too tiny - the smallest changes often have the biggest impact.
Drop your wishes below. 👇
English
You can always sell/gift it to people who will find a use for it. I was donating such things for people in need, for example. It is completely unusable in your case, but that does not mean the same for the others.
Alice und Bob@alice_und_bob
I got this very nice Parity branded battery pack last year. The problem is I can’t use it because most my cables are USB C and it only outputs USB A. So I have a very nice piece of Parity branded technology sitting on my shelf that is completely unusable in my real life because it is built against some outdated assumptions and not my actual requirements. I know it’s not a nice to draw this comparison. But this thought keeps HAUNTING me since I have this thing. I hope things will change for the better. „Products for People“ is the right mantra to build useful things for the future.
English
