Skip to content(if available)orjump to list(if available)

HN

OpenAI’s Windsurf deal is off, and Windsurf’s CEO is going to Google

ETH Zurich and EPFL to release a LLM developed on public infrastructure

ty-penguin.org.uk

Preliminary report into Air India crash released

A software conference that advocates for quality

bettersoftwareconference.com

Upgrading an M4 Pro Mac mini's storage for half the price

jeffgeerling.com

Dict Unpacking in Python

Andrew Ng: Building Faster with AI [video]

Bill Atkinson's psychedelic user interface

patternproject.substack.com

HDD Clicker generates HDD clicking sounds, based on HDD Led activity

Astronomers race to study interstellar interloper

Repaste Your MacBook

christianselig.com

Apple vs the Law

formularsumo.co.uk

Activeloop (YC S18) Is Hiring AI Search and Python Back End Engineers(Onsite,MV)

careers.activeloop.ai

Monorail – Turn CSS animations into interactive SVG graphs

'123456' password exposed chats for 64M McDonald's job applicants

bleepingcomputer.com

Show HN: RULER – Easily apply RL to any agent

Introduction to Digital Filters

ccrma.stanford.edu

Lead pigment in turmeric is the culprit in a global poisoning mystery (2024)

At Least 13 People Died by Suicide Amid U.K. Post Office Scandal, Report Says

2-4 wire converters / hybrids (2009)

DiffuCoder: Understanding and Improving Masked Diffusion Models for Code Gen

Show HN: Pangolin – Open source alternative to Cloudflare Tunnels

The GitVenom campaign: cryptocurrency theft using GitHub

The GitVenom campaign: cryptocurrency theft using GitHub

4 comments

·February 26, 2025

Sophira

> Blindly running code from GitHub can be detrimental

And this is exactly why I dislike how most dependency managers nowadays (especially npm) use GitHub directly. I prefer something where somebody other than the dev has reviewed the code. As it is, I could be installing literally anything.

from-nibly

I agree that downloading from git directly is dumb but for other reasons. Regular npm packages don't have to have any relationship to the source code repository. You can just upload whatever files you want and call it version x and then in git tag a commit with completely different files in it.

npm doesn't review the files uploaded to npm unless there is some sort of report.

Sophira

Oh dear, I didn't realise this. I knew that GitHub Release archives could have different files in them - for example, see the xz backdoor recently - but I didn't realise that npm would use those by default.

from-nibly

It doesn't use the releases. It just bundles up whatever files you tell it to.