←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 3 comments | 16 Sep 25 11:22 UTC | HN request time: 0s | source
Show context
codemonkey-zeta ◴[16 Sep 25 11:56 UTC] No.45261026[source]
I'm coming to the unfortunate realizattion that supply chain attacks like this are simply baked into the modern JavaScript ecosystem. Vendoring can mitigate your immediate exposure, but does not solve this problem.

These attacks may just be the final push I needed to take server rendering (without js) more seriously. The HTMX folks convinced me that I can get REALLY far without any JavaScript, and my apps will probably be faster and less janky anyway.

replies(18): >>45261086 #>>45261121 #>>45261140 #>>45261165 #>>45261220 #>>45261265 #>>45261285 #>>45261457 #>>45261571 #>>45261702 #>>45261970 #>>45262601 #>>45262619 #>>45262851 #>>45267210 #>>45268405 #>>45269073 #>>45273081 #
petcat ◴[16 Sep 25 12:03 UTC] No.45261086[source]
Rendering template partials server-side and fetching/loading content updates with HTMX in the browser seems like the best of all worlds at this point.
replies(1): >>45261097 #
koakuma-chan ◴[16 Sep 25 12:04 UTC] No.45261097[source]
Until you need to write JavaScript?
replies(3): >>45261143 #>>45261161 #>>45261240 #
ehnto ◴[16 Sep 25 12:10 UTC] No.45261161{3}[source]
But that's the neat part, you don't!
replies(1): >>45261170 #
koakuma-chan ◴[16 Sep 25 12:11 UTC] No.45261170{4}[source]
Until you have to.
replies(1): >>45261880 #
1. speed_spread ◴[16 Sep 25 13:20 UTC] No.45261880{5}[source]
The only way to win is not to play.
replies(1): >>45262311 #
2. koakuma-chan ◴[16 Sep 25 13:53 UTC] No.45262311[source]
Let me quit my job real quick. The endgame is probably becoming a monk, no kidding.
replies(1): >>45271982 #
3. joquarky ◴[17 Sep 25 05:16 UTC] No.45271982[source]
I considered becoming a Zen monk, but then I gave up the desire.