←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 3 comments | 16 Sep 25 11:22 UTC | HN request time: 0s | source
Show context
freakynit ◴[16 Sep 25 11:38 UTC] No.45260858[source]
New day, new npm malware. Sigh..
replies(3): >>45260898 #>>45260942 #>>45268206 #
motorest ◴[16 Sep 25 11:43 UTC] No.45260898[source]
> New day, new npm malware. Sigh..

This. But the problem seems to go way deeper than npm or whatever package manager is used. I mean, why is anyone consuming a package like colors or tinycolors? Do projects really need to drag in a random dependency to handle these usecases?

replies(2): >>45260930 #>>45261400 #
epolanski ◴[16 Sep 25 12:36 UTC] No.45261400[source]
Why are people using React to write simple ecommerces?

Why are React devs pulling object utils from lodash instead of reimplementing them?

replies(1): >>45262608 #
motorest ◴[16 Sep 25 14:20 UTC] No.45262608{3}[source]
> Why are people using React to write simple ecommerces?

What leads you to believe React is not well suited to simple ecommerce sites?

replies(1): >>45263267 #
1. epolanski ◴[16 Sep 25 15:01 UTC] No.45263267{4}[source]
1. It's a solution meant for highly interactive app-like websites, not static-content driven websites like ecommerces. React in this context is just the wrong tool for the problem that will give you a huge array of performance, bugs and ux problems.

2. Extensive ecommerce experience including Disney, Carnival Cruises, Booking, TUI, and some of the European leaders in real estate and professional home building tools among the others.

replies(1): >>45264583 #
2. motorest ◴[16 Sep 25 16:40 UTC] No.45264583[source]
> 1. It's a solution meant for highly interactive app-like websites, not static-content driven websites like ecommerces. React in this context is just the wrong tool for the problem that will give you a huge array of performance, bugs and ux problems.

Strongly disagree. React is not about interactivity, but reactivity. If you have to consume an API and update your app based on the responses, React does all the heavy lifting for you without requiring full page reloads.

On top of that, and as a nice perk, React also gives you all the tools you will ever need to optimize perceived performance.

Claiming that a tool designed for reactive programming is not suited for the happy flow of reactive programming is simply fundamentally wrong.

replies(1): >>45264847 #
3. epolanski ◴[16 Sep 25 16:59 UTC] No.45264847[source]
1. React didn't invent SPAs and reactivity.

2. Ecommerces are not highly dynamic pages. They are overwhelmingly static content with an occasional configurator/cart/search. All things that can be embedded with whatever library you like (including React), or even better none at all.

3. Seo and performance is what really matters in ecommerces. The only minor exceptions are shops like Amazon or Airbnb, but that's unrelated to their seo and performance.

4. I've been writing React and ecommerces using React and similar with millions of daily users for a decade :)