It's a holdover from previous posts where there were more clearly defined deprecations.

but yes, in this case it's more of a behavioural change of defaults, so they just picked the closest vaguely mapped retired/deprecations tag.

1: https://github.blog/changelog/?type=deprecations

"retired" is probably a followup to functionality that was "deprecated".

I agree "breaking" would be clearer

> It is in the works. The billing team has been sprinting to fix a lot of debt in this area. I don’t have a date.

https://x.com/dok2001/status/2051220429973389622

it's something I feel is finally viable to combat at zero cost to the user.

This plus webmcp would allow it to serve as a form of automod too on websites that you authenticate with (imagine a world where your social media profile has an automod of its own powered locally. can use this to steer your feed or to mute/block/moderate as needbe). Even without WebMCP I have been working on making it autodetect html elements and extract UGC (comments/threads..etc) automatically to moderate (since my initial tests with a small group found some websites with frequent UI changes would break if hardcoded or if they did a lot of AB testing)

Even better, the concept would allow you to also use it to hide certain spoilers (imagine sports or new movies that just came out and you want to not have to hide away from all socials).

didn't find any contacts on your new HN account, but in a few weeks will be able to reach out to you with it fleshed out. :)

We have a community of nearly 14k that we will distribute this to

I wanted to make FOSS codegen that was not locked behind paywalls + had wasm plugins to extend it.

Essentially if you dismiss someone's argument as false just because it may have had a fallacy within it, that reasoning is itself a fallacy.

Some fallacy-seeking people ironically ignore this and just dismiss anything when they have the "gotcha, you made a fallacy therefore everything you said can be concluded as false" moment.

1: https://en.wikipedia.org/wiki/Argument_from_fallacy

> Fast mode usage is billed directly to extra usage, even if you have remaining usage on your plan. This means fast mode tokens do not count against your plan’s included usage and are charged at the fast mode rate from the first token.

https://code.claude.com/docs/en/fast-mode#requirements

You get a good credit score and still live within your means while also getting additional points + bank covering any fraudulent activity if the card got stolen.

Of course this method probably won't work for people that feel they would rather just cut themselves off from temptation fully or those without access to banking systems, which I sympathise with.

I found the feed with it enabled is much better than disabled and I have it finetuned to be more in line with the niches I care about.

I am also very proactive with marking channels or content I don't prefer with the "Not interested" or "Don't recommend channel" as well as going through and pruning any content I don't want from my watch history directly.

It's not perfect but it's orders of magnitude better than my logged out or watch history disabled account (though not sure if they have since updated it to not show anything at all)

Your account might have triggered some flag sometime back and relies on users vouching for your comments so they can become visible again.

C# Native AOT gets rid of the JIT and gives you a pretty good perf+memory profile compared to the past.

It's mostly the stigma of .NET Framework legacy systems that put people off, but modern C# projects are a breeze.

I've been building in my spare time a spam/scam blocking extension and was also playing around with the experimental in-browser LLM feature for this (alongside Aho–Corasick, Naive Bayes and other classifiers)

It's great to see more people tackling this head on, kudos

https://en.wikipedia.org/wiki/Gell-Mann_amnesia_effect

> If a malicious website reads the clipboard, what good is knowing an arbitrary password with no other information?

Even if assuming unique username+url pairings, clipboard history can store multiple items including emails or usernames which could be linked to any data breach and service (or just shotgunned towards the most popular services). It's not really a "no other information" scenario and you drastically reduce the effort required for an attacker regardless.

> If you're talking about a malicious desktop app running on the same system, it's game over anyway because it can read process memory, read keystrokes, etc.

The app does not have to be overtly malicious, AccuWeather (among others) was caught exfiltrating users' clipboard data for over 4 years to an analytics company who may or may not have gotten compromised. Even if the direct application you are using is non-malicious, you are left hoping wherever your data ends up isn't a giant treasure trove/honeypot waiting to be compromised by attackers.

The same reasoning can be used for pretty much anything really, why protect anything locally since they could just keylog you or intercept requests you make.

In that case it would be safer for everyone to run Qubes OS and stringently check any application added to their system.

In the end it's a balancing act between convenience and security with which striving for absolute perfection ends up being an enemy of good.

> Sidenote: Most password managers I've used automatically clear the clipboard 10-15s after you copy a credential.

That is true, good password managers took these steps precisely to reduce the clipboard attack surface.

Firefox also took steps in 2021 to also limit leaking secrets via the clipboard.

I really hope you clear your clipboard history entirely after doing your copy/paste method because your credentials would otherwise persist for any other application with clipboard perms to just exfiltrate (which has already been exploited in the wild before)

    npm audit signatures

Additional resources:

- Trusted publishing via OIDC [1]

- Requiring 2FA for package publishing [2]

1: https://docs.npmjs.com/trusted-publishers

2: https://docs.npmjs.com/requiring-2fa-for-package-publishing-...

Comments URL: https://news.ycombinator.com/item?id=45187429

Points: 2

# Comments: 2

You may also be interested in npm package provenance [1] which lets you sign your npm published builds to prove it is built directly from the source being displayed.

This is something ALL projects should strive to setup, especially if they have a lot of dependent projects.

1: https://github.blog/security/supply-chain-security/introduci...