>>108490176
Why didn’t they listen?

based
this is becoming a daily occurence
soon the internet will be unusable

Keep up to date for security reasons they said, never use outdated versions they said.

10 trillion dollars to Israel will fix this

i hope they infected a nuclear site and the damage has already been done
bonus points if it’s in israel or india

>>108490415
your h-1b is gone and its never coming back

package managers were a mistake

>>108490176
What the fuck is a "hidden dependency". it's always going to be in the package-lock.json.
>>108490622
>>108490665
Yeah, better vendor the code and keep that vuln in your project forever bro

just update dependencies to versions at least a few weeks old and you're immune to these attacks
literal nothingburger

>>108490622
Delusional retardation.

>>108490814
The malware post-processes it's package.json and probably the lock file too.

>>108490622
>p-packagr managers bad!
So instead have zero tooling to know what your software actually depends on and no remediation tooling to update vulnerable dependencies? How does your retarded workflow handle the xz backdoor as well? As soon as the value goes up, more and more levels of software development will be compromised. Copy and paste shitters like yourself, nonfree propriecucks, various Linux distro, git remotes and other language package repos.

Package manager cucks seething

>>108490622
Because no one has ever put malware in code repository that you has to manually pull from and manually check for such compromises, right?

>>108491921
>has
had*

daily reminder to consider sandboxing to stop some of these lower effort ones.
I use helix, so I just use it via flatpak:

#!/bin/sh
# add whatever here, e.g. openjdk25,dotnet10,etc
export FLATPAK_ENABLE_SDK_EXT=rust-stable,node24
if [ "$1" != 'enter-shell' ]; then
  flatpak run --filesystem="$PWD" com.helix_editor.Helix "$@"
else
  shift
  flatpak enter com.helix_editor.Helix "$@"
fi

>>108492247
oh... and edit the permissions for helix_editor in flatseal to remove permissions.

File: 1751559365385301.jpg (44 KB, 416x416)

44 KB JPG

The funniest part is that the gray beards were right.
>C boomers tell you to write shit yourself and minimize deps
>dont listen to them, claiming that's "code duplication" and treating it like an absolutely evil thing to do
>end up with gigantic supply chain attacks

File: 54735864299-978db6da0f-o.jpg (357 KB, 864x974)

357 KB JPG

I maintain a javascript library at work and it has a single third party dependency that I am working toward re-implementing myself in a more efficient way. Then I will never worry about supply chain attacks again

>>108492597
>get UAF, buffer overflows and other basic security bugs instead
real win there, tardo. I remember dhcpd was replaced with some greenfield shitware and had a CVE out of the gate.

>>108490184
It's funny, cause we warned them for years about this. Vibecoded/agentic codebases are the next ones that will be compromised at a large scale. The same amount of ignorance, as with the webshitters.

>>108490622
They were good when perl devs invented and polished the concept and taught everyone to use it.
But you are not perl devs, you inherited traditions from node.js culture, so you produce bloat for job security reasons and then act surprised when the Internet breaks.

When cpan was a thing you would wander in there and actually read the code bofore using it. Because you just knew that like half of the perl devs were literally l33t coolhax0rs. And yet code from those times contained just regular bugs that sometimes introduced vulns.

Now it's so bad soon corpos will have completely isolated package management infrastructure. Some already have done that.

>>108490622
It's first and foremost cultural issue. Package managers themselves alone are not a bad idea.

My coworker said this is because of vibecoding. No clue how that would be the case here.
It's very obviously an issue with centralization and dependency hell.

open source is inherently insecure. Everything you use should be treated as malicious unless you've reviewed the source code

>>108492891
closed source is inherently insecure for the same reason.

>>108492940
Companies can be held liable for damages incurred by breaches so they are incentivized to create safe code

>>108492808
> It's very obviously an issue with centralization and dependency hell
No, it's an issue with bloat. So much bloat produced by people who are paid for volume instead of quality, for creating a perception of solving something important without actually solving something in an efficient way.

You could dispose of 99% of garbage code in 99% of most popular open source projects and humanity would actually benefit from that and lose nothing.
That is where the real issue is. That's why nobody can afford to read all that constantly updated bullshit in every package they depend on.

>>108492953
WITHOUT WARRANTY

>>108490622
All the seething jeet replies prove you right

>>108492953
>companies can be held liable
and my semen comes out in 8 different colors

Okay, but how does this affect me personally?

>>108492955
Trying to reduce bloat and dependency hell in open source projects is how you get shit like systemd, because the only way to reduce the amount of code and the amount of projects is to forcefully remove them from circulation
There is no good solution. Open Source is simply a terrible idea for anything beyond individual self-contained projects, or stuff like zlib and FFMPEG which can be integrated into third party utilities and have a clearly defined purpose and scope.

>>108492648
You are so stupid. You have made an absolutely terrible argument. Just saying.

>>108490176
> Axios is a promise-based HTTP Client [...]
https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
Let me guess, you need more?

>>108495847
You don't. I remember I used axios often. Very convenient. But no idea who would need it when you can make LLM write stupid boilerplate, which is the purpose of LLM to begin with.

I'm more curious how a massive library with active maintenance managed to get pwned.
In 99.99% cases some autist notices it beforehand, so how did they fuck up this time?

>>108495907
xz had some state sponsored agent get in with quality contributions before submitting the exploit. he then obviously disappears but he was just some ghost to begin with.

>>108490176
How many times does npm gotta get backdoored? lmfao

File: qbQQbgw_d.png (137 KB, 552x390)

137 KB PNG

>>108495907
Ok nvm I've read it up
>compromised account + backdoor dependency
HAVE THESE RETARDS NEVER HEARD OF DEPENDENCY VERIFICATION? IS IT NOT A THING IN THE WEBSHITTER WORLD?
Gradle wins again.

>>108495950
The frontend world is more or less a decade behind in what you'd consider sane practices compared to the backend nerds.

>goyscript

>>108493196
Is it possible to attain this fagness?

>>108490176
zzzzzzzzzzzzzzzzzzzzzzz

>>108492247
just use bwrap

>>108495808
>base64 encoded instructions executed at build tome and is triaged, day 0
>your shitty NIH C code base getting hacked or crashing frustrating users
Which is more likely?

>>108495950
None of that would save you from malware stealing your credentials, dumb ass.

>>108495847
Yes. A lot more. Fetch is dog shit and anyone claiming otherwise is delusional. You still can't do upload progress with it, something axios does for you. I'm not going to defend it since xhr generally just works, albeit its own bullshit, but this "just use fetch" is total copium. Combine that with web defined streams as being the worst piece of webshit ever made as well, especially when node's are extremely sane in contrast.

>>108492648
>>108497491
>low iq monkey man destroyed by words
beautiful to see

>>108497500
>None of that would save you from malware stealing your credentials, dumb ass.
It literally would, retard. Do you even know what dependency verification is? The build would fail because of both checksum and pgp signature verification failures, and then all fucking alarm bells would go off because literally everyone will see that someone is attempting to sneak in malicious (untrusted) code into the library.