> "Supply is capped at about ten per day. Individual squatting (buy at auction, hold, resell) is possible. "

Won't this mean that squatters will keep buying the top-alexa domains for the first few years?

I'd have liked to see a comparision with other "crypto"-led infra in this space. .eth/ENS, namecoin, .box, .bit for eg.

was originally only intended to represent glossaries of terms and their definitions.

TIL I’ve been naming it wrong for a decade.

]]>Sat, 23 May 2026 13:57:53 +0000https://news.ycombinator.com/item?id=48247747captn3m0https://news.ycombinator.com/item?id=48247747https://news.ycombinator.com/item?id=48247747There’s almost a dozen cybersecurity companies scanning NPM publishes in real-time and analysing them.

]]>Sat, 23 May 2026 08:43:29 +0000https://news.ycombinator.com/item?id=48245943captn3m0https://news.ycombinator.com/item?id=48245943https://news.ycombinator.com/item?id=48245943They publish some stats at https://railway.com/stats

72M deploys from 3M customers across 10M services in the last month.

]]>Wed, 20 May 2026 21:58:02 +0000https://news.ycombinator.com/item?id=48214772captn3m0https://news.ycombinator.com/item?id=48214772https://news.ycombinator.com/item?id=48214772The incentives are nicer here, from what I’ve heard: AWS TAMs are not reviewed in revenue at all. And cost savings for customers actually counts as a win for them.

]]>Wed, 20 May 2026 09:09:57 +0000https://news.ycombinator.com/item?id=48205031captn3m0https://news.ycombinator.com/item?id=48205031https://news.ycombinator.com/item?id=48205031Is this generated with a Markov chain?

]]>Wed, 20 May 2026 07:31:42 +0000https://news.ycombinator.com/item?id=48204351captn3m0https://news.ycombinator.com/item?id=48204351https://news.ycombinator.com/item?id=48204351All three links animate for me.

]]>Tue, 19 May 2026 18:29:40 +0000https://news.ycombinator.com/item?id=48197294captn3m0https://news.ycombinator.com/item?id=48197294https://news.ycombinator.com/item?id=48197294They typically use a visual editor like Inkscape with visual feedback. Nobody is hand-coding a complex SVG.

]]>Tue, 19 May 2026 13:52:41 +0000https://news.ycombinator.com/item?id=48193329captn3m0https://news.ycombinator.com/item?id=48193329https://news.ycombinator.com/item?id=48193329This has a security implication which is overlooked. Contributors to a repository have higher rights, such as avoiding approval requirements for fork PR runs. GitHub warns in the docs:

> When requiring approvals only for first-time contributors (the first two settings), a user that has had any commit or pull request merged into the repository will not require approval. A malicious user could meet this requirement by getting a simple typo or other innocuous change accepted by a maintainer, either as part of a pull request they have authored or as part of another user's pull request.

]]>Mon, 18 May 2026 16:07:14 +0000https://news.ycombinator.com/item?id=48181657captn3m0https://news.ycombinator.com/item?id=48181657https://news.ycombinator.com/item?id=48181657X is the adjective framing.

]]>Sun, 17 May 2026 15:37:21 +0000https://news.ycombinator.com/item?id=48169875captn3m0https://news.ycombinator.com/item?id=48169875https://news.ycombinator.com/item?id=48169875Isn’t splitting code and meta into two repos the same solution here? Like how GitHub tracks your Wiki in a separate repo (which you could repurpose for your issues, even).

]]>Sat, 16 May 2026 11:51:19 +0000https://news.ycombinator.com/item?id=48159330captn3m0https://news.ycombinator.com/item?id=48159330https://news.ycombinator.com/item?id=48159330Good place to ask, saw a new AWS User agent in logs today: Amazon-Quick-on-Behalf-of-$HEXID

I found a mention on some user agent trackers but no official documentation. Anyone knows if it’s documented? Asking because I am seeing decent traffic (30GB/week) from this.

]]>Thu, 14 May 2026 22:32:57 +0000https://news.ycombinator.com/item?id=48142138captn3m0https://news.ycombinator.com/item?id=48142138https://news.ycombinator.com/item?id=48142138I saw this lets you do Fax over IP. Any other advantages or usecases?

]]>Wed, 13 May 2026 21:04:46 +0000https://news.ycombinator.com/item?id=48127545captn3m0https://news.ycombinator.com/item?id=48127545https://news.ycombinator.com/item?id=48127545I’m paranoid but I never authenticate the GitHub CLI - there should be no tokens lying around on my system. If needed, I have some scoped PATs in pass, which I can source as env variables. Git Pushes happen over SSH with Yubikey.

]]>Tue, 12 May 2026 06:18:49 +0000https://news.ycombinator.com/item?id=48104847captn3m0https://news.ycombinator.com/item?id=48104847https://news.ycombinator.com/item?id=48104847You're right. Found the relevant docs+API calls:

https://docs.github.com/en/rest/actions/workflow-runs?apiVer...

Also for a Pending Deployment: https://docs.github.com/en/rest/actions/workflow-runs#review...

Both of these need `repo` scope, which you can avoid giving on org-level repos. For fine-grained tokens: "Deployments" repository permissions (write) is needed, which I wouldn't usually give to a token.

]]>Mon, 11 May 2026 22:39:11 +0000https://news.ycombinator.com/item?id=48101671captn3m0https://news.ycombinator.com/item?id=48101671https://news.ycombinator.com/item?id=481016711. _Multiple third-party companies_ can detect these obviously malicious packages in almost-real-time

2. NPM still not only publishes them, but also keeps distributing them for anything beyond 5 minutes.

Microsoft/GitHub/NPM can only keep repeating "security is our top priority" so many times. But NPM still doesn't detect these simple attacks, and we keep having this every week.

]]>Mon, 11 May 2026 22:28:08 +0000https://news.ycombinator.com/item?id=48101560captn3m0https://news.ycombinator.com/item?id=48101560https://news.ycombinator.com/item?id=48101560https://docs.github.com/en/actions/how-tos/deploy/configure-... is the feature they use.

> We impose tag protection rules that prevent release tags from being created until a release deployment succeeds, with the release deployment itself being gated on a manual approval by at least one other team member. We also prevent the updating or deletion of tags, making them effectively immutable once created. On top of that we layer a branch restriction: release deployments may only be created against main, preventing an attacker from using an unrelated first-party branch to attempt to bypass our controls.

> https://astral.sh/blog/open-source-security-at-astral

From what I understand, you need a website login, and not a stolen API token to approve a deployment.

But I agree in principle - The registry should be able to enforce web-2fa. But the defaults can be safer as well.

]]>Mon, 11 May 2026 22:19:31 +0000https://news.ycombinator.com/item?id=48101468captn3m0https://news.ycombinator.com/item?id=48101468https://news.ycombinator.com/item?id=48101468I've been collecting things you can't pin:

- Python inline dependencies in PEP-0723, which you can pin with a==1.0, but can't be hash-pinned afaik.

- The bin package manager lets you pin binaries, but they aren't hash-pinned either.

- The pants build tool suggests vendoring a get-pants.sh script[0] but it downloads the latest. Even if you pass it a version, it doesn't do any checks on the version number and just installs it to ~/.local/bin

[0]: https://github.com/pantsbuild/setup/blob/gh-pages/get-pants....

]]>Mon, 11 May 2026 22:13:57 +0000https://news.ycombinator.com/item?id=48101388captn3m0https://news.ycombinator.com/item?id=48101388https://news.ycombinator.com/item?id=48101388