Wait wasnt emdash vibed out? Why not translation too...?

dangit, school system

not writing with proper punctuation caps and syntax actually proves you're human!

the bots could never lower themselves to write invalid sentences!

try { } catch (x) rethrow A,B { }

"but not A,B", "ignoring A,B", "dont catch A,B", "catch (x) if A,B", I dunno...

Seems like an AbortError is a viable real world common candidate to get this treatment (arguably, that's "abusing" the throw mechanic as a side channel, but that ship has sailed)

Anyone know of a chess book that teaches you an opening by like puzzles and steps you through lines for a particular opening and explains most of them into the middle game, but also the ideas behind it, why certain moves are bad, etc? Maybe a bit modern?

I'm not finding books that hit the spot :/

The axios compromise blast radius is much much much bigger than people seem to suspect. The secret: transitive dependencies with open ranges making it extremely obscure and difficult to detect whether you were affected, after the fact.

Dog ate my homework -> Claude rimraffed me, sir.

Arguably, it's okay to reduce your phantom opaque rate limits down to borderline useless when your users still won't hit these new limits (either) anyways, right?

Because you can't reach rate limits WHEN THE PRODUCT HAS AN INCIDENT/OUTAGE ALL THE TIME :smart:

oof.

Supply Chain Attack on Axios Pulls Malicious Dependency from... A supply chain attack on Axios introduced a malicious dependency, plain-crypto-js@4.2.1, published minutes earlier and absent from the project’s GitHu...

Yikes.

socket.dev/blog/axios-n...

Wtf? Just sitting in a semi public book case. For like, casual reading?

45min was more like uhhh 10h

Terraria board game. Game was ok, price way too high for the low replay value. No unlocks or anything and little variation is kind of disappointing for 2026?
We only spawned one (unavoidable) boss, missed the others due to rng.

Focused on the wrong game components imo.

Oldschool JS, is that code from like two years ago?

Ok good think we didn't reassign tab to AI auto-complete.

In five years nobody gonna be auto-completing anything anymore. Waste of effort.

GHA has access to env secrets, not stored in the code base.

New rule: public github repos cannot have any secrets. Must use private or public-proxy read-only repos (where only owners/contribs can make PRs) for releases and CI stuff.

It's obvious github can't get on top of the github actions exfil stuff. Seems like a plausible way to squash that vector?

Oui

Luckily they have a limited context window

- Create this random html canvas game
- Now create a down sampled terminal renderer for it

I love vibe coding.

Hey, it's spring time!

Oops.

I still have ptst from working on flow in ocaml :'(
I'm gonna pass on this one

Hmmm there's a few signature but that wasnt one of them. You sure thats not just a one-of?

Impressive. Claude was able to deobfuscate socket.dev/npm/package/... completely!

Preval tripped over the use of `with()` (I never bothered to support that) so I was hand decoding it. But I figured, why not let Claude try and it delivered.

I think it's just another contagious interview tho.

I spent a day perusing the last few months of openvsx packages and digging up worms 😅
Glassworm actually seems to be the only active campaign right now on openvsx (or whatever else is going on is hiding it reaaaal good. Though these are 10mb+ packages so who knows right)
The rest are just one offs.

I already know before he does. It's all about planting a seed.

(It's Socket)

So you published their name, basically doxxing them? :slow-clap:

Why would you consider that news worthy other than the news event itself? Did the world need to know the artist name? Really?

I think you destroyed something under the guise of investigative journalism. Hope you're proud.

Pathetic.

Hmmm, Tenko is passing test262 again. All tests except one "staging/sm" where I think spidermonkey is just wrong for backwards compat reasons so I'm ignoring that. It's even prepared for "using", later on.

Good maintenance cycle.

You catch more bugs in dark mode.

Because it's an edge case, apparently most people develop in light by default, and it's easy to miss contrast issues.

I'm with you.
It's not for prod but with strip types you can do something funky in the front end to strip typescript on load and just have it run. (And of course node 24 supports that out of the box).
Need browsers to support strip types too...

So, you have an AI that writes up a message body that injects my profile, making it look real, but then forget to scrub the emoji clearly designed to catch automation 🤦

One of these days github is going to ban me for putting all that deobfuscated malware into my gists just to share them with the team 😅

Why is the KLM website always broken? Holy shit and they wonder why business is bad. OOF.