Profile picture
jordwalke @jordwalke
, 7 tweets, 2 min read Read on Twitter
npm package malware is also a technology problem. Deps should be built at install time, on-host from original inspectable sources but npm practice is to build at package publish time so it runs everywhere w/out a build step. How badly you want JS to "not" be a compiled language!
So you have everyone turning their "JS" into *actual* JavaScript in a way that obscures the original intent, allowing things like the recent vulnerability to slip in easily. To fix this you need a completely different package management philosophy centered around.. Builds!
You can't easily take existing npm packages and run their publish steps at install time on your host, for many many reasons - these transpilation/minification toolchains are huge because they *could* be - they were just publish time dependencies that were dropped once published.
If you thought node_modules were a black hole now, just wait until you also install all the "devDependencies" of all your transitive dependencies. That's if the constraint solver doesn't just completely give up causing pkg version duplication that result in runtime failures/bugs.
And in addition to installing those dependencies every consumer (at install time) would also need to run those build steps on their host and those are typically slower because they always could be - they were only run once at publish time. Until now!
And even *if* you manage to get this far, you'll deal with npm's weird build caching bugs that occur because npm wasn't meant to be used for building things on the install host.
To really address the npm package build/publish problem at its core, @andreypopp and crew have been working on esy.sh - a package.json workflow for Native @reasonml/OCaml that is centered arounds reproducible, cacheable, from-source, builds!
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to jordwalke
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @jordwalke see all

Profile picture
Hot take: Single page documentation is superior to documentation that spoon feeds three paragraphs at a time to you with prev/next pagers at the bottom.
1. Use command+f to search for things like you always do.
2. Easier to keyboard navigate.
3. Can still hyperlink to headers...
4. Instantly gives you all of the docs "offline". Just keep a browser tab open or save the HTML or print to pdf.
5. From maintainer's standpoint, no need to sign up for some service that you (might have to) pay to index your search.
6. Search works in offline mode too because you don't need to connect to a service.
Read 4 tweets

Related threads

Profile picture
IDA's remote debugger is my go-to for debugging malware so that I never have to restore my VM and lose. If you're interested in trying it, I've attached some instructions on how to set it up to debug a DLL. (1/4) #malware #reverseengineering
1. Copy the remote debugger for your platform from the "dbgsrv" directory in your IDA installation directory to the debugging target and execute. -h will show you other options for configuring a password, port number etc. (2/4)
2. On the machine running IDA, select "Remote Windows Debugger" from the debugger dropdown.
3. Select Debugger -> Process Options from the menu, and fill in the parameters. Below I've included a sample configuration.
4. Select OK, and start the debugger like normal. (3/4)
Read 4 tweets
Profile picture
#Khashoggi Case Thread: I am going to ‘pin’ this post to use it as an ‘Info Thread’ on the #Khashoggi Case. I am in #Turkey. I’ve been following the case closely and with access to sources & experts here. This is a very ‘sensitive’ criminal case due to ‘Diplomatic Booby Traps’!!!
The Evidence Obtained Outside Cameras will not show any evidence of ‘tempering’ but other than license plates of dozens of diplomatic cars (Many with tinted windows-large trunks) with related time stamp, drivers Info, model/year: Nothing.
#Turkish Intel-Investigative Bodies also have the list of all Diplomatic & Private Saudi & “other significant’ Planes in #Turkey for the period of ‘interest.’ Many of the Target airports have their own security cameras & related evidence.
Read 335 tweets
Profile picture
Ok, ok. 1 Like = 1 interesting magic system / cost for casting magic. I don't guarantee that all of these will be original as this is pretty well-trodden territory, but they'll certainly be made up on the spot by me.
1. Spellcasting feeds on ambient heat. Magic users leave trails of frost, ice crystals glinting in their hair. Strongest wizards operate in equatorial regions - deserts, tropical rainforests home to key mage colleges.
2. Magic requires pain. Pain is the remorse of matter, magic the expression of this remorse. Mages practice self-flagellation, electrocution, ice baths in order to cast spells. More powerful effects possible in throes of agony. Mage duels quickly escalate as combatants are hurt.
Read 125 tweets
Profile picture
Je suis au plus proche pour soutenir la team médiévale lors du grand débat "team jupette contre team médiévale" de @ConfdHistoire
Dans la team médiévale : @scherzandomusic et @HerodotcomFL

Dans la team jupette : @BrilManon et @ConfdHistoire.

Et en arbitre nota bene mais c'est marrant il ressemble vachement à @dirtybiology enfait.
1er argument de la team jupette : "on a inventé la philosophie". Ça drop le mic dès le premier argument.
Read 19 tweets
Profile picture
Livetweeting of the #GoogleNext18 developer keynote will commence here in this thread around 9am PT. So excited for @mmeckf and everyone else presenting! You can also watch live at g.co/nextonair
And here comes @adamse! He's polling the audience to find out how many people are developers? operators? gophers? #GoogleNext18
"Setting up a server is an API call now." "We don't customize and configure individual servers any more, we use containers."

"The role of developers is changing." #GoogleNext18
Read 83 tweets
Profile picture
Are you one of those people who's looked back on 2017 and convinced yourself that you haven't achieved anything? Worried about catching up with your mates who seem to have done much better?

Let me tell you a story about #time.

A thread 👇
A long #time ago, back when I was about twelve or thirteen years old, my parents travelled to Uyo.

Before leaving, my mother asked me to prepare Edikang ikong soup so she and my father would eat when they returned.
When I was finished with the soup, it was supposed to look something like this:

*photo credit: waiter foodies.
Read 32 tweets

Trending hashtags

#SmartWatch #MSM #OTC #Kill #cycle #prism #supply #domestic #cryptocurrency #stablecoin #Snowden #clothing #SPS #Video #beard #Tezos #product #Time #cheese #global #TrumpJr #Consulate #Assad #internet #NewYorkTimes

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!