#3 is surprising, I don't remember the last time I saw a distro installer without a "just wipe the disk and set up the recommended partitions" option, and most machines usually just have 1 drive.
That package wasn't any more random than any other NodeJS package. NPM isn't inherently different from, say, Debian repositories, except the latter have oversight and stewardship and scrutiny.
That's what's needed and I am seriously surprised NPM is trusted like it is. And I am seriously surprised developers aren't afraid of being sued for shipping malware to people.
It's really, really not. Just write the libraries yourself. Have a team or two who does that stuff.
And, if you do need a lib because it's too much work, like maybe you have to parse some obscure language, just vendor the package. Read it, test it, make sure it works, and then pin the version. Realistically, you should only have a few dozens packages like this.
This does help. Even before, I was pretty careful about what I used, not just for security but also simplicity. Nowadays it's even easier to LLM-generate utils that one might've installed a dep for in the past.
Well, he didn’t say vibe code. Presumably, you’d still be reviewing the AI code before committing it.
I ran a little experiment recently, and it does take longer than just pulling in npm dependencies, but not that much longer for my particular project: logging, routing, rpc layer with end-to-end static types, database migrations, and so on. It took me a week to build a realistic, albeit simple app with only a few dependencies (Preact and Zod) running on Bun.
Heh, that's if the reviewer actually is a human doing their job and not another AI just waiting for the right keyword to act like a manchurian candidate.
Of all the people on the entire internet, I would hope HN posters understand best that anything and everything posted online already has and also will at some point be used in such ways.
When it becomes a widespread issue they'll just release Meta Glasses 5/Apple Vision 3 with the appropriate eye protection, and vision will be very affordable.
Why do you have such an issue with the donation to the IDF? I understand disputing that he's the largest donor, but I doubt he has ever written a big cheque directly to Trump (or in fact anyone except his family) either, is it also unclear whether he's a Trump donor?
Even if there were no mechanism for donating to the IDF available to the general public, do you believe someone like Ellison couldn't easily give money to whomever he wanted?
*centuries, it was first predicted in the 19th century when Britain was burning increasingly massive amounts of coal.
reply