←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 8 comments | 27 Aug 25 01:38 UTC | HN request time: 0.001s | source | bottom
Show context
f311a ◴[27 Aug 25 12:55 UTC] No.45038992[source]
People really need to start thinking twice when adding a new dependency. So many supply chain attacks this year.

This week, I needed to add a progress bar with 8 stats counters to my Go project. I looked at the libraries, and they all had 3000+ lines of code. I asked LLM to write me a simple progress report tracking UI, and it was less than 150 lines. It works as expected, no dependencies needed. It's extremely simple, and everyone can understand the code. It just clears the terminal output and redraws it every second. It is also thread-safe. Took me 25 minutes to integrate it and review the code.

If you don't need a complex stats counter, a simple progress bar is like 30 lines of code as well.

This is a way to go for me now when considering another dependency. We don't have the resources to audit every package update.

replies(17): >>45039115 #>>45039225 #>>45039464 #>>45039724 #>>45039994 #>>45040021 #>>45040056 #>>45040113 #>>45040151 #>>45040162 #>>45040972 #>>45041479 #>>45041745 #>>45044165 #>>45045435 #>>45045983 #>>45052913 #
1. dakiol ◴[27 Aug 25 14:24 UTC] No.45040162[source]
Easier solution: you don’t need a progress bar.
replies(5): >>45040439 #>>45041636 #>>45042659 #>>45043506 #>>45049557 #
2. SoftTalker ◴[27 Aug 25 14:44 UTC] No.45040439[source]
Every feature is also a potential vulnerability.
replies(1): >>45041951 #
3. f311a ◴[27 Aug 25 16:14 UTC] No.45041636[source]
It runs indefinitely to process small jobs. I could log stats somewhere, but it complicates things. Right now, it's just a single binary that automatically gets restarted in case of a problem.
replies(1): >>45043658 #
4. ◴[27 Aug 25 16:41 UTC] No.45041951[source]
5. chairmansteve ◴[27 Aug 25 17:44 UTC] No.45042659[source]
One of the wisest comments I've ever seen on HN.
6. nicce ◴[27 Aug 25 18:52 UTC] No.45043506[source]
Depends on the purpose… but I guess if you replace it with estimated time left, may be good enough. Sometimes progress bar is just there to identify whether you need stop the job since it takes too much time.
7. skydhash ◴[27 Aug 25 19:04 UTC] No.45043658[source]
Why not print on stdout, then redirect it to a file?
8. vendiddy ◴[28 Aug 25 07:47 UTC] No.45049557[source]
And if you really do? Print the percentage to stdout.