recentpopularlog in

against

« earlier   
2016: I've Just Liberated My Modules | Hacker News
Unclear how this was solved.

[[The fact that this is possible with NPM seems really dangerous. The author unpublished (erm, "liberated") over 250 NPM modules, making those global names (e.g. "map", "alert", "iframe", "subscription", etc) available for anyone to register and replace with any code they wish.

Since these libs are now baked into various package.json configuration files (some with 10s of thousands of installs per month, "left-pad" with 2.5M/month), meaning a malicious actor could publish a new patch version bump (for every major and minor version combination) of these libs and ship whatever they want to future npm builds. Because most package.json configs use the "^1.0.1" caret convention (and npm --save defaults to this mode), the vast majority of future installs could grab the malicious version.

This is extremely severe. Any package i install might after x levels of sub-dependencies pull in one of these names which are potentially pwned. React and Babel pulled in a few of them to take some well known examples.

I would say the whole npm is pwned until these packages are either restored or that the package name is blacklisted/reserved.]]
security  exploit  against  npm  kik 
3 days ago by dandv
Microsoft tests ‘warning’ Windows 10 users not to install Chrome or Firefox - The Verge
"yet another example of Microsoft infesting Windows 10 with annoying ads and pop-ups. [...] Microsoft has previously pushed notifications to Chrome users to tempt them to switch to Edge, used OneDrive ads in File Explorer, and preloaded a variety of crapware apps in Windows 10."
against  Windows  Microsoft 
5 days ago by dandv
Do I need to stretch before exercising? - NHS
Stretching doesn't reduce the risk of injury, and decreases performance.
against  stretching 
6 days ago by dandv

Copy this bookmark:





to read