Hacker News: Rockslide

New comment by Rockslide in "The White House is already one of the most blocked accounts on Bluesky"

Rockslide — Sun, 19 Oct 2025 21:08:16 +0000

Just Dance Vance's shitposting doesn't even qualify as "ideas".

New comment by Rockslide in "Show HN: Tips to stay safe from NPM supply chain attacks"

Rockslide — Mon, 22 Sep 2025 10:22:16 +0000

Figuring out what is true for npm v5 is quite the waste of time, given that we are currently at v11. And that's what this ancient stackoverflow thread is about. npm certainly has a troubled past, otherwise we wouldn't have yarn and pnpm and whatnot. But _today_, npm install works very reasonably with lockfiles.

New comment by Rockslide in "Show HN: Tips to stay safe from NPM supply chain attacks"

Rockslide — Mon, 22 Sep 2025 09:26:36 +0000

npm install does install the exact versions from the lockfile. Even though this misconception gets repeated in every single thread about npm here on hn. npm install will not randomly update your direct dependencies, let alone transitive dependencies.

New comment by Rockslide in "Show HN: Tips to stay safe from NPM supply chain attacks"

Rockslide — Mon, 22 Sep 2025 09:03:49 +0000

That first recommendation of pinning exact versions of each and every dependency is borderline insane. That's exactly what lockfiles are for. Which are used by default.

New comment by Rockslide in "Pnpm has a new setting to stave off supply chain attacks"

Rockslide — Thu, 18 Sep 2025 18:51:02 +0000

Well there are other lockfile updates as well, which aren't dependency version changes either. e.g. if the lockfile was created with an older npm version, running npm install with a newer npm version might upgrade it to a newer lockfile format and thus result in huge diffs. But that wouldn't change anything about the versions used for your dependencies.

New comment by Rockslide in "Pnpm has a new setting to stave off supply chain attacks"

Rockslide — Thu, 18 Sep 2025 16:16:06 +0000

> You've partially answered your own question here.

Is that the case? If it were ever true (outside of outright bugs in npm), it must have been many many years and major npm releases ago. So that doesn't justify brigading outdated information.

New comment by Rockslide in "Pnpm has a new setting to stave off supply chain attacks"

Rockslide — Thu, 18 Sep 2025 16:13:17 +0000

Yes. As someone who's using npm install daily, and given the update cadence of npm packages, I would end up with dirty lock files very frequently if the parent statement were true. It just doesn't happen.

New comment by Rockslide in "Pnpm has a new setting to stave off supply chain attacks"

Rockslide — Thu, 18 Sep 2025 13:13:26 +0000

How does this get repeated over and over, when it's simply not true? At least not anymore. npm install will only update the lockfile if you make changes to your package.json. Otherwise, it will install the versions from the lockfile.

New comment by Rockslide in "Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised"

Rockslide — Tue, 16 Sep 2025 21:09:27 +0000

Those stackoverflow posts are ancient and many major npm releases old, so in other words: irrelevant. That blog post is somewhat up to date but also very vague about the circumstances which would update the lockfile. Which certainly isn't that npm install updates dependencies to newer versions within the semver range, because it absolutely does not.

New comment by Rockslide in "Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised"

Rockslide — Tue, 16 Sep 2025 16:28:49 +0000

Well but the docs you cited don't match what you stated. You can delete node_modules and reinstall, it will never update the package-lock.json, you will always end up with the exact same versions as before. The package-lock updating happens when you change version numbers in the package.json file, but that is very much expected! So no, running npm install will not pull in new versions randomly.

New comment by Rockslide in "Show HN: Nue – Apps lighter than a React button"

Rockslide — Tue, 01 Apr 2025 13:47:22 +0000

> What's next We're improving the developer experience in three distinct phases: Framework -> Design -> Cloud

So the "cloud" part is where the enshittification will begin. Been there, done that, switched away from next.js :|

New comment by Rockslide in "BigQuery pricing model cost us $10k in 22 seconds"

Rockslide — Tue, 25 Mar 2025 17:11:14 +0000

You have that mixed up, storage and ingestion is cheap in BigQuery but processing is exactly were they grab $$$

New comment by Rockslide in "BigQuery pricing model cost us $10k in 22 seconds"

Rockslide — Tue, 25 Mar 2025 17:09:34 +0000

Yes the whole consultancy situation really is the icing on the cake - as the customer you pay for (alleged) experts in the field and get this as the result...

New comment by Rockslide in "BigQuery pricing model cost us $10k in 22 seconds"

Rockslide — Tue, 25 Mar 2025 17:05:41 +0000

Sorry but that's nonsense. Partitioning is THE central cost controlling mechanism in BigQuery and the docs clearly state this. And it's an easy to use feature, so I'm not sure what makes you think using that would be as challenging as building your own query engine.

New comment by Rockslide in "BigQuery pricing model cost us $10k in 22 seconds"

Rockslide — Tue, 25 Mar 2025 16:52:40 +0000

I don't have a lot of sympathy for people using their tools wrong. Using partitioning surely would have prevented this.

New comment by Rockslide in "Send Email Directly from JavaScript"

Rockslide — Sun, 05 Sep 2021 09:04:50 +0000

Adding a contact form to a statically generated website - that's what I use it for (all email goes to a single predefined account)

New comment by Rockslide in "Google Compute Engine VM takeover via DHCP flood"

Rockslide — Tue, 29 Jun 2021 11:45:02 +0000

it literally says "same project" right there

New comment by Rockslide in "Lets talk about changelogs (how I loathe 'bugfixes and performance improvements)"

Rockslide — Sat, 02 Jan 2021 14:42:44 +0000

> If that is all you're going to put there, then just leave it blank.

Well, I would love to. Unfortunately neither Play Store nor App Store allow you to do that... so "bug fixes and performance improvements" it is, 99% of the time.

New comment by Rockslide in "German stock trading platform Xetra down, all securities affected"

Rockslide — Wed, 01 Jul 2020 16:16:15 +0000

Tradegate is even 08-22...

New comment by Rockslide in "German stock trading platform Xetra down, all securities affected"

Rockslide — Wed, 01 Jul 2020 13:28:13 +0000

It was on German n-tv. Although they now state the opposite here: https://www.n-tv.de/wirtschaft/der_boersen_tag/Arger-ueber-F...