Most active commenters
  • cluckindan(10)
  • zelphirkalt(9)
  • gameman144(3)
  • lukan(3)
  • smaudet(3)
  • sfn42(3)

←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 112 comments | 16 Sep 25 11:22 UTC | HN request time: 3.784s | source | bottom
Show context
kelnos ◴[16 Sep 25 19:35 UTC] No.45266878[source]
As a user of npm-hosted packages in my own projects, I'm not really sure what to do to protect myself. It's not feasible for me to audit every single one of my dependencies, and every one of my dependencies' dependencies, and so on. Even if I had the time to do that, I'm not a typescript/javascript expert, and I'm certain there are a lot of obfuscated things that an attacker could do that I wouldn't realize was embedded malware.

One thing I was thinking of was sort of a "delayed" mode to updating my own dependencies. The idea is that when I want to update my dependencies, instead of updating to the absolute latest version available of everything, it updates to versions that were released no more than some configurable amount of time ago. As a maintainer, I could decide that a package that's been out in the wild for at least 6 weeks is less likely to have unnoticed malware in it than one that was released just yesterday.

Obviously this is not a perfect fix, as there's no guarantee that the delay time I specify is enough for any particular package. And I'd want the tool to present me with options sometimes: e.g. if my current version of a dep has a vulnerability, and the fix for it came out a few days ago, I might choose to update to it (better eliminate the known vulnerability than refuse to update for fear of an unknown one) rather than wait until it's older than my threshold.

replies(35): >>45266995 #>>45267024 #>>45267360 #>>45267489 #>>45267600 #>>45267697 #>>45267722 #>>45267967 #>>45268218 #>>45268503 #>>45268654 #>>45268764 #>>45269143 #>>45269397 #>>45269398 #>>45269524 #>>45269799 #>>45269945 #>>45270082 #>>45270083 #>>45270420 #>>45270708 #>>45270917 #>>45270938 #>>45272063 #>>45272548 #>>45273074 #>>45273291 #>>45273321 #>>45273387 #>>45273513 #>>45273935 #>>45274324 #>>45275452 #>>45277692 #
1. gameman144 ◴[16 Sep 25 19:45 UTC] No.45267024[source]
> It's not feasible for me to audit every single one of my dependencies, and every one of my dependencies' dependencies

I think this is a good argument for reducing your dependency count as much as possible, and keeping them to well-known and trustworthy (security-wise) creators.

"Not-invented-here" syndrome is counterproductive if you can trust all authors, but in an uncontrolled or unaudited ecosystem it's actually pretty sensible.

replies(8): >>45267054 #>>45267101 #>>45267444 #>>45268170 #>>45268880 #>>45270337 #>>45273381 #>>45273796 #
2. Ajedi32 ◴[16 Sep 25 19:48 UTC] No.45267054[source]
If it's not feasible to audit every single dependency, it's probably even less feasible to rewrite every single dependency from scratch. Avoiding that duplicated work is precisely why we import dependencies in the first place.
replies(11): >>45267090 #>>45267094 #>>45267132 #>>45267222 #>>45267415 #>>45267471 #>>45268298 #>>45269164 #>>45270175 #>>45270363 #>>45270519 #
3. curtisf ◴[16 Sep 25 19:51 UTC] No.45267090[source]
This is true to the extent that you actually _use_ all of the features of a dependency.

You only need to rewrite what you use, which for many (probably most) libraries will be 1% or less of it

replies(1): >>45267507 #
4. AlecBG ◴[16 Sep 25 19:51 UTC] No.45267094[source]
Not sure I completely agree as you often use only a small part of a library
5. EGreg ◴[16 Sep 25 19:51 UTC] No.45267101[source]
Exactly.

I always tried to keep the dependencies to a minimum.

Another thing you can do is lock versions to a year ago (this is what linux distros do) and wait for multiple audits of something, or lack of reports in the wild, before updating.

replies(1): >>45267246 #
6. lukan ◴[16 Sep 25 19:54 UTC] No.45267132[source]
"rewrite every single dependency from scratch"

No need to. But also no need to pull in a dependency that could be just a few lines of own (LLM generated) code.

replies(1): >>45267221 #
7. brianleb ◴[16 Sep 25 20:01 UTC] No.45267221{3}[source]
>>a few lines of own (LLM generated) code.

... and now you've switched the attack vector to a hostile LLM.

replies(3): >>45267528 #>>45269094 #>>45272158 #
8. gameman144 ◴[16 Sep 25 20:01 UTC] No.45267222[source]
It isn't feasible to audit every line of every dependency, just as it's not possible to audit the full behavior of every employee that works at your company.

In both cases, the solution is similar: try to restrict access to vital systems only to those you trust,so that you have less need to audit their every move.

Your system administrators can access the server room, but the on-site barista can't. Your HTTP server is trusted enough to run in prod, but a color-formatting library isn't.

replies(1): >>45270529 #
9. gameman144 ◴[16 Sep 25 20:03 UTC] No.45267246[source]
I saw one of those word-substition browser plugins a few years back that swapped "dependency" for "liability", and it was basically never wrong.

(Big fan of version pinning in basically every context, too)

replies(1): >>45269333 #
10. zelphirkalt ◴[16 Sep 25 20:17 UTC] No.45267415[source]
Most dependencies do much more than we need from them. Often it means we only need one or a few functions from them. This means one doesn't need to rewrite whole dependencies usually. Don't use dependencies for things you can trivially write yourself, and use them for cases where it would be too much work to write yourself.
replies(3): >>45267701 #>>45271035 #>>45271065 #
11. 2muchcoffeeman ◴[16 Sep 25 20:21 UTC] No.45267444[source]
Have we all forgotten the left-pad incident?

This is an eco system that has taken code reuse to the (unreasonable) extreme.

When JS was becoming popular, I’m pretty sure every dev cocked an eyebrow at the dependency system and wondered how it’d be attacked.

replies(4): >>45267564 #>>45270790 #>>45274137 #>>45274653 #
12. bennyg ◴[16 Sep 25 20:23 UTC] No.45267471[source]
Sounds like the job for an LLM tool to extract what's actually used from appropriately-licensed OSS modules and paste directly into codebases.
replies(3): >>45267705 #>>45268191 #>>45269005 #
13. zahlman ◴[16 Sep 25 20:26 UTC] No.45267507{3}[source]
Indeed. About 26% of the disk space for a freshly-installed copy of pip 25.2 for Python 3.13 comes from https://pypi.org/project/rich/ (and its otherwise-unneeded dependency https://pypi.org/project/Pygments/), "a Python library for rich text and beautiful formatting in the terminal", hardly any of the features of which are relevant to pip. This is in spite of an apparent manual tree-shaking effort (mostly on Pygments) — a separate installed copy of rich+Pygments is larger than pip. But even with that attempt, for example, there are hundreds of kilobytes taken up for a single giant mapping of "friendly" string names to literally thousands of emoji.

Another 20% or more is https://pypi.org/project/requests/ and its dependencies — this is an extremely popular project despite that the standard library already provides the ability to make HTTPS connections (people just hate the API that much). One of requests' dependencies is certifi, which is basically just a .pem file in Python package form. The vendored requests has not seen any tree-shaking as far as I can tell.

This sort of thing is a big part of why I'll be able to make PAPER much smaller.

replies(1): >>45270855 #
14. zelphirkalt ◴[16 Sep 25 20:28 UTC] No.45267528{4}[source]
Though you will see the code at least, when you are copy pasting it and if it is really only a few lines, you may be able to review it. Should review it of course.
replies(1): >>45269090 #
15. zelphirkalt ◴[16 Sep 25 20:30 UTC] No.45267564[source]
> This is an eco system that has taken code reuse to the (unreasonable) extreme.

Not even that actually. Actually the wheel is reinvented over and over again in this exact ecosystem. Many packages are low quality, and not even suitable to be reused much.

replies(1): >>45270066 #
16. btown ◴[16 Sep 25 20:38 UTC] No.45267701{3}[source]
A brief but important point is that this primarily holds true in the context of rewriting/vendoring utilities yourself, not when discussing importing small vs. large dependencies.

Just because dependencies do a lot more than you need, doesn't mean you should automatically reach for the smallest dependency that fits your needs.

If you need 5 of the dozens of Lodash functions, for instance, it might be best to just install Lodash and let your build step shake out any unused code, rather than importing 5 new dependencies, each with far fewer eyes and release-management best practices than the Lodash maintainers have.

replies(3): >>45268248 #>>45268399 #>>45269728 #
17. philipwhiuk ◴[16 Sep 25 20:39 UTC] No.45267705{3}[source]
Do you have any evidence it wouldn't just make up code.
18. umvi ◴[16 Sep 25 21:16 UTC] No.45268170[source]
"A little copying is better than a little dependency" -- Go proverb (also applies to other programming languages)
19. shakna ◴[16 Sep 25 21:18 UTC] No.45268191{3}[source]
Requiring you to audit both security and robustness on the LLM generated code.

Creating two problems, where there was one.

replies(2): >>45269859 #>>45271077 #
20. jay_kyburz ◴[16 Sep 25 21:22 UTC] No.45268248{4}[source]
Yes, fewer, larger, trustworthy dependencies with tree shaking is the way to go if you ask me.
replies(1): >>45268390 #
21. kristianbrigman ◴[16 Sep 25 21:26 UTC] No.45268298[source]
One interesting side effect of AI is that it makes it sometimes easy to just recreate the behavior, perhaps without even realizing it..
22. _puk ◴[16 Sep 25 21:33 UTC] No.45268390{5}[source]
Almost like a standard library..
replies(2): >>45268741 #>>45272423 #
23. Terr_ ◴[16 Sep 25 21:33 UTC] No.45268399{4}[source]
I think the level of protection you get from that depends on how the unused code detection interacts with whatever tricks someone is using for malicious code.
24. jay_kyburz ◴[16 Sep 25 22:00 UTC] No.45268741{6}[source]
Yeah, but perhaps we could have different flavors. If you like functional style you could have a very functional standard library that doesn't mutate anything, or if you like object oriented stuff you could have classes of object with methods that mutate themselves. And the Typescript folks could have a strongly typed library.
25. respondo2134 ◴[16 Sep 25 22:11 UTC] No.45268880[source]
>> and keeping them to well-known and trustworthy (security-wise) creators.

The true threat here isn't the immediate dependency though, it's the recursive supply chain of dependencies. "trustworthy" doesn't make any sese either when the root cause is almost always someone trustworthy getting phished. Finally if I'm not capable of auditing the dependencies it's unlikely I can replace them with my own code. That's like telling a vibe coder the solution to their brittle creations is to not use AI and write the code themselves.

replies(2): >>45270500 #>>45270620 #
26. const_cast ◴[16 Sep 25 22:22 UTC] No.45269005{3}[source]
This is already a thing, compiled languages have been doing this for decades. This is just C++ templates with extra steps.
27. LtWorf ◴[16 Sep 25 22:30 UTC] No.45269090{5}[source]
If it's that little review the dependency.
replies(1): >>45272950 #
28. appreciatorBus ◴[16 Sep 25 22:30 UTC] No.45269094{4}[source]
Sure but that's a one time vector. If the attacker didn't infiltrate the LLM before it generated the code, then the code is not going to suddenly go hostile like an npm package can.
29. reaperducer ◴[16 Sep 25 22:37 UTC] No.45269164[source]
it's probably even less feasible to rewrite every single dependency from scratch.

When you code in a high-security environment, where bad code can cost the company millions of dollars in fines, somehow you find a way.

The sibling commenter is correct. You write what you can. You only import from trusted, vetted sources.

30. j1elo ◴[16 Sep 25 22:53 UTC] No.45269333{3}[source]
I'm re-reading all these previous comments, replacing "dependency" for "liability" in my mind, and it's being quite fun to see how well everything still keeps meaning the same, but better
31. latexr ◴[16 Sep 25 23:38 UTC] No.45269728{4}[source]
The argument wasn’t to import five dependencies, one for each of the functions, but to write the five functions yourself. Heck, you don’t even need to literally write them, check the Lodash source and copy them to your code.
replies(3): >>45269898 #>>45269917 #>>45272318 #
32. bennyg ◴[16 Sep 25 23:54 UTC] No.45269859{4}[source]
I didn't say generate :) - in all seriousness, I think you could reasonably have it copy the code for e.g. lodash.merge() and paste it into your codebase without the headaches you're describing. IMO, this method would be practical for a majority of npm deps in prod code. There are some I'd want to rely on the lib (and its maintenance over time), but also... a sort function is a sort function.
replies(1): >>45270170 #
33. halflife ◴[17 Sep 25 00:00 UTC] No.45269898{5}[source]
And then when node is updated and natively supports set intersections you would go back to your copied code and fix it?
replies(2): >>45270249 #>>45273825 #
34. mandevil ◴[17 Sep 25 00:03 UTC] No.45269917{5}[source]
This might be fine for some utility functions which you can tell at a glance have no errors, but for anything complex, if you copy you don't get any of the bug/security fixes that upstream will provide automatically. Oh, now you need a shim of this call to work on the latest Chrome because they killed an api- you're on your own or you have to read all of the release notes for a dependency you don't even have! But taking a dependency on some other library is, as you note, always fraught. Especially because of transitive dependencies, you end up having quite a target surface area for every dep you take.

Whether to take a dependency is a tricky thing that really comes down to engineering judgement- the thing that you (the developer) are paid to make the calls on.

replies(1): >>45270873 #
35. wongarsu ◴[17 Sep 25 00:27 UTC] No.45270066{3}[source]
The perfect storm of on the one side junior developers who are afraid of writing even trivial code and are glad if there's a package implementing functionality that can be done in a one-liner, and on the other side (often junior) developers who want to prove themselves and think the best way to do that is to publish a successful npm package
replies(2): >>45270499 #>>45272644 #
36. shakna ◴[17 Sep 25 00:44 UTC] No.45270170{5}[source]
LLMs don't copy and paste. They ingest and generate. The output will always be a generated something.
replies(2): >>45270709 #>>45281752 #
37. 8note ◴[17 Sep 25 00:44 UTC] No.45270175[source]
is it that infeasible with LLMs?

a lor of these dependencies are higher order function definitions, which never change, and could be copy/pasted around just fine. they're never gonna change

38. skydhash ◴[17 Sep 25 00:54 UTC] No.45270249{6}[source]
If it works, why do so? Unless there's a clear performance boost, and if so you already know the code and can quickly locate your interpreted version.

Or At the time of adding you can add a NOTE or FIXME comment stating where you copied it from. A quick grep for such keyword can give you a nice overview of nice to have stuff. You can also add a ticket with all the details if you're using a project management tool and resuscitate it when that hypothetical moment happens.

39. motorest ◴[17 Sep 25 01:08 UTC] No.45270337[source]
> I think this is a good argument for reducing your dependency count as much as possible, and keeping them to well-known and trustworthy (security-wise) creators.

I wonder to which extent is the extreme dependency count a symptom of a standard library that is too minimalistic for the ecosystem's needs.

Perhaps this issue could be addressed by a "version set" approach to bundling stable npm packages.

replies(1): >>45270657 #
40. motorest ◴[17 Sep 25 01:13 UTC] No.45270363[source]
> If it's not feasible to audit every single dependency, it's probably even less feasible to rewrite every single dependency from scratch.

There is no need to rewrite dependencies. Sometimes it just so happens that a project can live without outputting fancy colorful text to stdout, or doesn't need to spread transitive dependencies on debug utilities. Perhaps these concerns should be a part of the standard library, perhaps these concerns are useless.

And don't get me started on bullshit polyfill packages. That's an attack vector waiting to be exploited.

41. bobthepanda ◴[17 Sep 25 01:29 UTC] No.45270499{4}[source]
The blessing and curse of frontend development is that there basically isn't a barrier to entry given that you can make some basic CSS/JS/HTML and have your browser render it immediately.

There's also the flavor of frontend developer that came from the backend and sneers at actually having to learn frontend because "it's not real development"

replies(2): >>45271721 #>>45274085 #
42. ◴[17 Sep 25 01:29 UTC] No.45270500[source]
43. smrtinsert ◴[17 Sep 25 01:32 UTC] No.45270519[source]
Its much more feasible these days. These days for my personal projects I just have CC create only a plain html file with raw JS and script links.
44. autoexec ◴[17 Sep 25 01:33 UTC] No.45270529{3}[source]
> It isn't feasible to audit every line of every dependency, just as it's not possible to audit the full behavior of every employee that works at your company.

Your employees are carefully vetted before hiring. You've got their names, addresses, and social security numbers. There's someone you're able to hold accountable if they steal from you or start breaking everything in the office.

This seems more like having several random contractors who you've never met coming into your business in the middle of night. Contractors that were hired by multiple anonymous agencies you just found online somewhere with company names like gkz00d or 420_C0der69 who you've also never even spoken to and who have made it clear that they can't be held accountable for anything bad that happens. Agencies that routinely swap workers into or out of various roles at your company without asking or telling you, so you don't have any idea who the person working in the office is, what they're doing, or even if they're supposed to be there.

"To make thing easier for us we want your stuff to require the use of a bunch of code (much of which does things you don't even need) that we haven't bothered looking at because that'd be too much work for us. Oh, and third parties we have no relationship with control a whole bunch of that code which means it can be changed at any moment introducing bugs and security issues we might not hear about for months/years" seems like it should be a hard sell to a boss or a client, but it's sadly the norm.

Assuming that something is going to go wrong and trying to limit the inevitable damage is smart, but limiting the amount of untrustworthy code maintained by the whims of random strangers is even better. Especially when the reasons for including something that carries so much risk is to add something trivial or something you could have just written yourself in the first place.

replies(2): >>45272298 #>>45273210 #
45. autoexec ◴[17 Sep 25 01:49 UTC] No.45270620[source]
> Finally if I'm not capable of auditing the dependencies it's unlikely I can replace them with my own code. That's like telling a vibe coder the solution to their brittle creations is to not use AI and write the code themselves.

In both cases, actually doing the work and writing a function instead of adding a dependency or asking an AI to write it for you will probably make you a better coder and one who is better able to audit code you want to blindly trust in the future.

replies(1): >>45273892 #
46. DrewADesign ◴[17 Sep 25 01:54 UTC] No.45270657[source]
I remember people in the JS crowd getting really mad at the implication that this all was pretty much inevitable, like 10/15 years ago. Can’t say they didn’t do great things since then, but it’s not like nobody saw this coming.
47. TheBicPen ◴[17 Sep 25 02:04 UTC] No.45270709{6}[source]
In 2022, sure. But not today. Even something as simple as generating and running a `git clone && cp xyz` command will create code not directly generated by the LLM.
replies(1): >>45288106 #
48. smaudet ◴[17 Sep 25 02:14 UTC] No.45270790[source]
I found it funny back when people were abandoning Java for JavaScript thinking that was better somehow...(especially in terms of security)

NPM is good for building your own stack but it's a bad idea (usually) to download the Internet. No dep system is 100% safe (including AI, generating new security vulns yay).

I'd like to think that we'll all stop grabbing code we don't understand and thrusting it into places we don't belong, or at least, do it more slowly, however, I also don't have much faith in the average (especially frontend web) dev. They are often the same idiots doing XYZ in the street.

I predict more hilarious (scary even) kerfuffles, probably even major militaries losing control of things ala Terminator style.

replies(1): >>45271013 #
49. vasco ◴[17 Sep 25 02:22 UTC] No.45270855{4}[source]
What paper?
replies(1): >>45271127 #
50. jonquest ◴[17 Sep 25 02:24 UTC] No.45270873{6}[source]
The massive amount of transitive dependencies is exactly the problem with regard to auditing them. There are successful businesses built solely around auditing project dependencies and alerting teams of security issues, and they make money at all because of the labor required to maintain this machine.

It’s not even a judgement call at this point. It’s more aligned with buckling your seatbelt, pointing your car off the road, closing your eyes, flooring it and hoping for a happy ending.

51. hshdhdhj4444 ◴[17 Sep 25 02:44 UTC] No.45271013{3}[source]
It’s not clear to me what this has to do with Java vs JavaScript (unless you’re referring to the lack of a JS standard library which I think will pretty much minimize this issue).

In fact, when we did have Java in the browser it was loaded with security issues primarily because of the much greater complexity of the Java language.

replies(3): >>45271560 #>>45271770 #>>45273237 #
52. hshdhdhj4444 ◴[17 Sep 25 02:47 UTC] No.45271035{3}[source]
I agree with this but the problem is that a lot of the extra stuff dependencies do is indeed to protect from security issues.

If you’re gonna reimplement only thr code you need from a dependency, it’s hard to know of the stuff you’re leaving out how much is just extra stuff you don’t need and how much might be security fixes that may not be apparent to you but the dependency by virtue of being worked upon and used by many people has fixed.

53. vFunct ◴[17 Sep 25 02:52 UTC] No.45271065{3}[source]
I'm using LLMs to write stuff that would normally be in dependencies, mostly because I don't want to learn how to use the dependency, and writing a new one from scratch is really easy with LLMs.
replies(1): >>45272434 #
54. vFunct ◴[17 Sep 25 02:55 UTC] No.45271077{4}[source]
LLMs can do the audits now.
55. what ◴[17 Sep 25 03:02 UTC] No.45271127{5}[source]
Presumably this: https://github.com/zahlman/paper
replies(1): >>45278782 #
56. lmz ◴[17 Sep 25 04:08 UTC] No.45271560{4}[source]
It's not the language it's the library that's not designed to isolate untrusted code from the start. Much harder to exit the sandbox if your only I/O mechanism is the DOM, alert() and prompt().
replies(1): >>45271739 #
57. pxc ◴[17 Sep 25 04:36 UTC] No.45271721{5}[source]
> There's also the flavor of frontend developer that came from the backend and sneers at actually having to learn frontend because "it's not real development"

What kind of code does this developer write?

replies(3): >>45271929 #>>45272283 #>>45278523 #
58. smaudet ◴[17 Sep 25 04:40 UTC] No.45271739{5}[source]
And the whole rest of the Internet...

The issue here is not Java or it's complexity. The point is also not Java, it's incidental that it was popular at the time. It's people acting irrationally about things and jumping ship for an even-worse system.

Like, yes, if that really were the whole attack surface of JS, sure nobody would care. They also wouldn't use it...and nothing we cared about would use it either...

59. smaudet ◴[17 Sep 25 04:45 UTC] No.45271770{4}[source]
Java has maven, and is far from immune from similar types of attacks. However, it doesn't have the technological monstrosity named NPM. In fact that aforementioned complexity is/was an asset in raising the bar, however slightly, in producing java packages. Crucially, that ecosystem is nowhere near as absurdly complex (note, I'm ignoring the I'll fated cousin that is Gradle, and is also notorious for being a steaming pile of barely-working inscrutable dependencies)

Anyways, I think you are missing the forest for the trees if you think this is a Java vs JavaScript comparison, don't worry it's also possible to produce junk enterprise code too...

Just amusing watching people be irrationally scared of one language/ecosystem vs another without stopping to think why or where the problems are coming from.

60. garbagepatch ◴[17 Sep 25 05:09 UTC] No.45271929{6}[source]
As little code as possible to get the job done without enormous dependencies. Avoiding js and using css and html as much as possible.
replies(1): >>45272213 #
61. lukan ◴[17 Sep 25 05:40 UTC] No.45272158{4}[source]
I did not say to do blind copy paste.

A few lines of code can be audited.

62. sfn42 ◴[17 Sep 25 05:50 UTC] No.45272213{7}[source]
Sounds like the perfect frontend dev to me.
replies(1): >>45272303 #
63. lodovic ◴[17 Sep 25 06:01 UTC] No.45272283{6}[source]
Usually they write only prompts and then accept whatever is generated, ignoring all typing and linting issues
replies(1): >>45272618 #
64. skwashd ◴[17 Sep 25 06:04 UTC] No.45272298{4}[source]
> This seems more like having several random contractors who you've never met coming into your business in the middle of night. [...] Agencies that routinely swap workers into or out of various roles at your company without asking or telling you, so you don't have any idea who the person working in the office is, what they're doing, or even if they're supposed to be there.

Sounds very similar to how global SIs staff enterprise IT contracts.

65. cluckindan ◴[17 Sep 25 06:05 UTC] No.45272303{8}[source]
The designer, the customer, and US/EU accessibility laws heavily disagree.
replies(6): >>45272642 #>>45272704 #>>45272774 #>>45272992 #>>45274092 #>>45280222 #
66. cluckindan ◴[17 Sep 25 06:07 UTC] No.45272318{5}[source]
You have obviously never checked the Lodash source.
replies(1): >>45273560 #
67. baq ◴[17 Sep 25 06:23 UTC] No.45272423{6}[source]
I wanted to make a joke about

   npm install stdlib
…but double checked before and @stdlib/stdlib has 58 dependencies, so the joke preempted me.
68. baq ◴[17 Sep 25 06:26 UTC] No.45272434{4}[source]
Age of bespoke software is here. Did you have any hard to spot non-obvious bugs in these code units?
69. 2muchcoffeeman ◴[17 Sep 25 06:49 UTC] No.45272618{7}[source]
Prompts? React and Angular came out over 10 years ago. The left pad incident happened in 2016.

Let me assure you, devs were skeptical about all this well before AI.

70. Philadelphia ◴[17 Sep 25 06:52 UTC] No.45272642{9}[source]
How is javascript required for accessibility? I wasn’t aware of that.
replies(1): >>45272968 #
71. whstl ◴[17 Sep 25 06:53 UTC] No.45272644{4}[source]
People pushing random throwaway packages is not the issue.

A lot of the culture is built by certain people who make a living out of package maximalism.

More packages == more eyballs == more donations.

They have an agenda that small packages are good and made PRs into popular packages to inject their junk into the supply chain.

72. NackerHughes ◴[17 Sep 25 07:01 UTC] No.45272704{9}[source]
The designer wants huge amounts of screen space wasted on unnnecessary padding, massive Fisher-Price rounded corners, and fancy fading and sliding animations that get in the way and slow things down. (Moreover, the designer just happens to want to completely re-design everything a few months later.)

The customer “ooh”s and “aah”s at said fancy animations running on the salesman’s top of the line macbook pro and is lured in, only realising too late that they’ve been bitten in the ass by the enormous amount of bloat that makes it run like a potato on any computer that costs less than four thousand dollars.

And US/EU laws are written by clueless bureaucrats whose most recent experience with technology is not even an electric typewriter.

What’s your point?

replies(3): >>45273543 #>>45273548 #>>45275705 #
73. whstl ◴[17 Sep 25 07:12 UTC] No.45272774{9}[source]
The designer already disagrees with accessibility laws. Contrast is near zero.
74. lukan ◴[17 Sep 25 07:35 UTC] No.45272950{6}[source]
The difference is, the dependency can change and is usually way harder to audit. Subfolders in subfolder, 2 lines here in a file, 3 line there vs locking at some files and check what they do.
75. boesboes ◴[17 Sep 25 07:38 UTC] No.45272968{10}[source]
It is not. In fact, it is all the modern design sensibilities and front-end frameworks that make it nearly impossible to make accessible things.

We once had the rule HTML should be purely semantic and all styling should be in CSS. It was brilliant, even though not everything looked as fancy as today.

replies(1): >>45273553 #
76. sfn42 ◴[17 Sep 25 07:42 UTC] No.45272992{9}[source]
A11y is mostly handled by just using semantic html.

The designer, in my experience, is totally fine with just using a normal select element, they don't demand that I reinvent the drop-down with divs just to put rounded corners on the options.

Nobody cares about that stuff. These are minor details, we can change it later if someone really wants it. As long as we're not just sitting on our hands for lack of work I'm not putting effort into reinventing things the browser has already solved.

replies(2): >>45273573 #>>45274188 #
77. xorcist ◴[17 Sep 25 08:16 UTC] No.45273210{4}[source]
That hit much too close to reality. It's exactly like that. Even the names were spot on!
78. mike_hearn ◴[17 Sep 25 08:20 UTC] No.45273237{4}[source]
In that era JavaScript was also loaded with security issues. That's why browsers had to invest so much in kernel sandboxing. Securing JavaScript VMs written by hand in C++ is a dead end, although ironically given this post, it's easier when they're written in Java [1]

But the reason Java is more secure than JavaScript in the context of supply chain attacks is fourfold:

1. Maven packages don't have install scripts. "Installing" a package from a Maven repository just means downloading it to a local cache, and that's it.

2. Java code is loaded lazily on demand, class at a time. Even adding classes to a JAR doesn't guarantee they'll run.

3. Java uses fewer, larger, more curated libraries in which upgrades are a more manual affair involving reading the release notes and the like. This does have its downsides: apps can ship with old libraries that have unfixed bugs. Corporate users tend to have scanners looking for such problems. But it also has an upside, in that pushing bad code doesn't immediately affect anything and there's plenty of time for the author to notice.

4. Corporate Java users often run internal mirrors of Maven rather than having every developer fetch from upstream.

The gap isn't huge: Java frameworks sometimes come with build system plugins that could inject malware as they compile the code, and of course if you can modify a JAR you can always inject code into a class that's very likely to be used on any reasonable codepath.

But for all the ragging people like to do on Java security, it was ahead of its time. A reasonable fix for these kind of supply chain attacks looks a lot like the SecurityManager! The SecurityManager didn't get enough adoption to justify its maintenance costs and was removed, partly because of those factors above that mean supply chain attacks haven't had a significant impact on the JVM ecosystem yet, and partly due to its complexity.

It's not clear yet what securing the supply chain in the Java world will look like. In-process sandboxing might come back or it might be better to adopt a Chrome-style microservice architecture; GraalVM has got a coarser-grained form of sandboxing that supports both in-process and out-of-process isolation already. I wrote about the tradeoffs involved in different approaches here:

https://blog.plan99.net/why-not-capability-languages-a8e6cbd...

[1] https://medium.com/graalvm/writing-truly-memory-safe-jit-com...

79. silon42 ◴[17 Sep 25 08:41 UTC] No.45273381[source]
IMO, one thing I like in npm packages is that that usually they are small, and they should ideally converge towards stability (frozen)...

If they are not, something is bad and the dependency should be "reduced" if at all possible.

80. cluckindan ◴[17 Sep 25 09:12 UTC] No.45273543{10}[source]
Wow, those are some jaded and cynical views.
81. wvh ◴[17 Sep 25 09:12 UTC] No.45273548{10}[source]
I think their point is that you might not have much of a choice, taking laws and modern aesthetic and economic concerns into consideration.

We "in the know" might agree, but we're not going to get it sold.

82. cluckindan ◴[17 Sep 25 09:13 UTC] No.45273553{11}[source]
JS is in fact required for AA level compliance in some cases, usually to retain/move focus appropriately, or to provide expected keyboard controls.

https://www.w3.org/WAI/WCAG22/Techniques/#client-side-script

Also, when was that semantic HTML rule? You make it sound like ancient history, but semantic HTML has only been a thing since HTML5 (2008).

replies(4): >>45273635 #>>45273779 #>>45273867 #>>45273885 #
83. latexr ◴[17 Sep 25 09:15 UTC] No.45273560{6}[source]
The point here isn’t a specific library. It’s not even one specific language or runtime. No one is talking about literally five functions. Let’s not be pedantic and lose sight of the major point.
replies(1): >>45273568 #
84. cluckindan ◴[17 Sep 25 09:17 UTC] No.45273568{7}[source]
I get that, but if you’ve ever tried to extract a single utility function from lodash, you know that it may not be as simple as copy-pasting a single function.
replies(1): >>45274322 #
85. cluckindan ◴[17 Sep 25 09:18 UTC] No.45273573{10}[source]
The word ”mostly” is the crux of the issue.
86. lexicality ◴[17 Sep 25 09:28 UTC] No.45273635{12}[source]
You only need to use scripts to move focus and provide keyboard controls if you have done something to mess with the focus and break the standard browser keyboard controls.

If you're using HTML/CSS sensibly then it's accessible from the get-go by dint of the browser being accessible.

> Also, when was that semantic HTML rule? You make it sound like ancient history, but semantic HTML has only been a thing since HTML5 (2008).

HTML5 added a million new tags, but HTML4 had plenty of semantic tags that people regularly ignored and replaced with <div>, for example <p>, <em>, <blockquote>...

replies(2): >>45276989 #>>45277224 #
87. sfn42 ◴[17 Sep 25 09:50 UTC] No.45273779{12}[source]
In some cases, sure.

I'm not saying the ideal frontend dev writes no JS. I'm saying they write as little as possible. Some times you need JS, nothing wrong with that. The vast majority of the time you don't. And if you do I'd say it's a self-imposed requirement (or a direct/indirect result of a self imposed requirement) most of the time.

replies(1): >>45274152 #
88. tjpnz ◴[17 Sep 25 09:52 UTC] No.45273796[source]
Easier said than done when your ecosystem of choice took the Unix philosophy of doing one thing well, misinterpreted it and then drove it off a cliff. The dependency tree of a simple Python service is incomparable to a Node service of similar complexity.
89. ClikeX ◴[17 Sep 25 09:57 UTC] No.45273825{6}[source]
If you won't, do you expect the maintainer of some micro package to do that?
90. skipchris ◴[17 Sep 25 10:04 UTC] No.45273867{12}[source]
The web standards project was founded in 1998.

https://www.webstandards.org/about/index.html

91. GoblinSlayer ◴[17 Sep 25 10:07 UTC] No.45273885{12}[source]
Some of those are fixes for misbehaving javascript like disabling nonessential alerts, stopping blinking, reducing animation; some are antipatterns like opening new windows, changing link text, colors, scrolling.
92. user34283 ◴[17 Sep 25 10:09 UTC] No.45273892{3}[source]
Just like it's going to make you a better engineer if you design the microchips in your workstation yourself instead of buying an x86 CPU.

It's still neither realistic nor helpful advice.

93. zelphirkalt ◴[17 Sep 25 10:38 UTC] No.45274085{5}[source]
Ha, that's a funny attitude. And here I was thinking, that mostly doing backend work, I rather make the best out of the situation, if I have to do frontend dev, and try to do "real development" by writing trivial things myself, instead of worsening the situation by gluing together mountains of bloat.
94. zelphirkalt ◴[17 Sep 25 10:40 UTC] No.45274092{9}[source]
The designer might only disagree, if they know a lot about frontend technology, and are not merely clicking together a figma castle.

But the middle management might actually praise the developer, because they "get the job done" with the minimal effort (so "efficient"!).

95. darkwater ◴[17 Sep 25 10:47 UTC] No.45274137[source]
Not on HN, the land of "you should use a SaaS or PaaS for that (because I might eventually work there and make money)" or "I don't want to maintain that code because it's not strictly related to my CRUD app business! how you dare!"
96. zelphirkalt ◴[17 Sep 25 10:50 UTC] No.45274152{13}[source]
Recently I took a little dive into making some pages, that have fallback for when the user doesn't run JS. Those pages are polling an API and displaying updated status. I made sure the pages can be reloaded and show updated status information, and telling the user, that they can simply refresh the page to get that updated information, but only showing that hint about reloading, when they do not run JS. Thus I built a workflow, that people can use whether or not they run JS. I did that, because I think it is the right thing, and because I often preach, that most sites should work without JS.

For me as a mostly backend dev, this was actually quite easy to achieve. Tiny modification of the backend API, some work in the frontend using JS to remove hints that should not show when JS is running, and voila, it works. Of course my pages are very simple in nature, but the same principles can be applied to larger pages. One could even link/direct to different pages, depending on the user running JS or not, and then have a workflow without JS and one with JS. It is all possible and only a matter of wanting to make an effort. Of course, modern JS frameworks do not really encourage this kind of design. Though server side rendering becomes more popular these days, I don't think we are quite there yet.

A page that is blank when not running JS has exactly zero accessibility.

97. zelphirkalt ◴[17 Sep 25 10:56 UTC] No.45274188{10}[source]
I hope in the future I can work with that kind of designer. Maybe it is just my limited experience, but in that limited experience, web designers care way too much about details and design features/ideas/concepts, that are not part of HTML or CSS and then frontend developers would have to push back and tell the web designer, that form follows function and that the medium they design for is important. Basic design principles actually, that the designers should know themselves, just like they should know the medium they are targeting (semandic HTML, CSS, capabilities of them both, a tiny bit about JS too), to keep things reasonable. But most frontend devs are happy to build fancy things with JS instead of pushing back when it matters. And not so many frontend devs want to get into CSS deeply and do everything they can to avoid JS. So needless things do get implemented all the time.
98. zelphirkalt ◴[17 Sep 25 11:13 UTC] No.45274322{8}[source]
If you are going to be that specific, then it would be good to post an example. If I remember correctly, lodash has some functions, that would be table stakes in functional languages, or easily built in functional languages. If such a function is difficult to extract, then it might be a good candidate to write in JS itself, which does have some of the typical tools, like map, reduce, and things like compose are easy to write oneself and part of every FP beginner tutorial. If such a function is difficult to extract, then perhaps lodash's design is not all that great. Maybe one could also copy them from elsewhere, where the code is more modular.

But again, if the discussion is going to be that specific, then you would need to provide actual examples, so that we could judge, whether we would implement that ourselves or it would be difficult to do so. Note, that often it is also not required for ones use-case, to have a 100% matching behavior either. The goal is not to duplicate lodash. The purpose of the extracted or reimplemented function would still be ones own project, where the job of that function might be much more limited.

replies(1): >>45275698 #
99. fatchan ◴[17 Sep 25 11:50 UTC] No.45274653[source]
1.2 million weekly downloads to this day, when we've had builtin padStart since ES2017.

Yes, I remember thinking at the time "how are people not ashamed to install this?"

100. cluckindan ◴[17 Sep 25 13:37 UTC] No.45275698{9}[source]
Let’s start with something simple, like difference().

https://github.com/lodash/lodash/blob/main/dist/lodash.js#L7...

So you also need to copy isArrayLikeObject, baseDifference and baseFlatten.

For baseDifference, you also need to copy arrayMap and baseUnary.

For baseFlatten, you also need to copy arrayPush.

For isArrayLikeObject, you also need to copy isArrayLike and isObjectLike.

For isArrayLike, you also need to copy isLength and isFunction.

For isFunction, you also need to copy isObject and baseGetTag.

For baseGetTag, you also need to copy getRawTag and objectToString.

I don’t have time to dig any deeper, just use tree-shaking ffs.

replies(1): >>45276479 #
101. wbl ◴[17 Sep 25 13:38 UTC] No.45275705{10}[source]
I think blind people should be able to use websites.
102. zelphirkalt ◴[17 Sep 25 14:44 UTC] No.45276479{10}[source]
OK in this case it looks like it is doing a lot of at runtime checking of arguments to treat them differently, based on what type of argument they are. If we restrict use to only work with arrays, or whatever we have in our project, where we need `difference`, then it should become much simpler and an easy rewrite. An alternative could be to have another argument, that is the function that gives us the `next` thing. Then the logic for that is to be specified by the caller.

Tree shaking however, will not help you, if you have to first install a library using NPM. It will only help you reduce overhead in the code served to a browser. Malicious code can run much earlier, and would be avoided, if you rewrite or extract relevant code from a library, avoiding to install the library using NPM. Or is there some pre-installation tree shaking, that I am unaware of? That would actually be interesting.

replies(1): >>45277142 #
103. kbolino ◴[17 Sep 25 15:25 UTC] No.45276989{13}[source]
IMO <em> is a terrible example.

For ca. ten years, the advice was to pointlessly "replace <i> with <em> and <b> with <strong>" and it utterly screwed over most new web developers' understanding of semantic tags. There are many reasons to use italics (and they vary between languages) but "emphasis" is just one of them, and none of the others ever materialized as tags.

It would have been far better to have recommended <i class="emphasis"> and <i class="media-title"> and <i class="snarky-aside"> etc. than to have added the <em> tag and said "just use it instead of <i>".

104. cluckindan ◴[17 Sep 25 15:38 UTC] No.45277142{11}[source]
I guess that pre-installation tree shaking in this case is installing ’lodash.difference’ instead of ’lodash’. :)
105. cluckindan ◴[17 Sep 25 15:44 UTC] No.45277224{13}[source]
”You only need to use scripts to move focus and provide keyboard controls if you have done something to mess with the focus and break the standard browser keyboard controls.”

That is straight up untrue. Some ARIA patterns require developers to implement focus management and keyboard access from scratch.

For example, ”Correct implementation of the tree role requires implementation of complex functionality that is not needed for typical site navigation that is styled to look like a tree with expandable sections.”

But sometimes you do need that kind of widget for something else.

https://www.w3.org/WAI/ARIA/apg/patterns/treeview/

replies(1): >>45278320 #
106. lexicality ◴[17 Sep 25 16:52 UTC] No.45278320{14}[source]
Sorry, I completely forgot about the existing semantic tree view element that exists and can be interacted with visually but doesn't provide any accessibility or keyboard support because the browser manufacturers decided to skip that one.

Or are you talking about a situation where the developer has implemented a custom component (aka "done something") which doesn't use the native focus system and therefore requires additional work to make accessible?

replies(1): >>45280687 #
107. bobthepanda ◴[17 Sep 25 17:07 UTC] No.45278523{6}[source]
In my experience, generally speaking there is a kind of this developer that tries to write a language they’re familiar with, but in Javascript. As the pithy saying goes, it takes a lot of skill to write Java in every language.
108. zahlman ◴[17 Sep 25 17:27 UTC] No.45278782{6}[source]
Yes, that. I didn't want to be too spammy, especially since I honestly haven't been getting much of anything done recently (personal reasons).
109. bigstrat2003 ◴[17 Sep 25 19:19 UTC] No.45280222{9}[source]
As the customer, I think that's the perfect frontend dev. Fuck the JS monstrosities that people build, they are so much harder to use than plain HTML.
110. cluckindan ◴[17 Sep 25 20:01 UTC] No.45280687{15}[source]
If by ”done something” you mean the devs made custom widgets have the proper ARIA roles so they’re usable for people who use a keyboard to navigate, or who need screen readers and their plethora of different navigation modes. This is usually the case when a suitable standard component does not exist or is not well supported across browsers. Hierarchical tri-state checkboxes come to mind.

The native focus system typically works just fine, but JS is needed for keyboard interactions and to set things like aria-activedescendant.

111. lgas ◴[17 Sep 25 21:44 UTC] No.45281752{6}[source]
You can give an LLM access to tools that it can invoke to actually copy and paste.
112. boomlinde ◴[18 Sep 25 10:56 UTC] No.45288106{7}[source]
In what way do you think this rebuts the message you responded to?