Hacker News: jkrems

New comment by jkrems in "Why the Sanitizer API is just `setHTML()`"

jkrems — Wed, 10 Dec 2025 20:58:31 +0000

I mean... "as configured" can me either an allow OR a denylist. That sentence doesn't really prescribe doing it one way or the other..? You have to parse the denylisted elements because they will affect the rest of the parse, so you _have_ to remove them afterwards in the general case.

New comment by jkrems in "Shai-Hulud Returns: Over 300 NPM Packages Infected"

jkrems — Mon, 24 Nov 2025 18:04:26 +0000

pnpm is the better comparison maybe in this context. Most of Deno's approach to security is focussed on whole program policies which doesn't do much in this context. Just like pnpm and others, they do have opt-in for install scripts though. The npm CLI is an outlier there by now.

New comment by jkrems in "Shai-Hulud Returns: Over 300 NPM Packages Infected"

jkrems — Mon, 24 Nov 2025 18:01:20 +0000

Vendoring wouldn't really affect this at all. If anything it would keep you vulnerable for longer because your vendored copy keeps "working" after the bad package got removed upstream. There's a tiny chance that somebody would've caught the 10MB file added in review but that's already too late - the exploit happened on download, before the vendored copy got sent for review.

New comment by jkrems in "Shai-Hulud Returns: Over 300 NPM Packages Infected"

jkrems — Mon, 24 Nov 2025 17:55:10 +0000

They didn't deploy the code. That's not how this exploit works. They _downloaded_ the code to their machine. And npm's behavior is to implicitly run arbitrary code as part of the download - including, in this case, a script to harvest credentials and propagate the worm. That part has everything to do with npm behavior and nothing to do with how much anybody reviewed 3P deps. For all we know they downloaded the new version of the affected package to review it!

New comment by jkrems in "Google Antigravity"

jkrems — Tue, 18 Nov 2025 16:28:45 +0000

Looks like it's back again!

New comment by jkrems in "Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised"

jkrems — Tue, 16 Sep 2025 23:17:29 +0000

Afaict many of these recent supply chain attacks _have_ been detected by scanners. Which ones flew under the radar for an extended period of time?

From what I can tell, even a few hours of delay for actually pulling dependencies post-publication to give security tools a chance to find it would have stopped all (?) recent attacks in their tracks.

New comment by jkrems in "Show HN: Lego Island Playable in the Browser"

jkrems — Mon, 23 Jun 2025 16:16:45 +0000

Nothing to do with "smart", or at least that's mostly irrelevant to this observation. But it's definitely age-dependent. No matter how "smart", it's not fair to expect young children to immediately and fully pay attention to some "random" voice when other interesting things are going on at the same time.

New comment by jkrems in "The True Size Of"

jkrems — Wed, 30 Apr 2025 20:18:01 +0000

> Why the South? What about the North? Symmetric globe?

The globe isn't symmetric when it comes to these terms. They don't refer to the actual two hemispheres, split at the equator. The "south" contains the equator and the "north" ends way before the equator.

> And why is the shrinking considered a misrepresentation, but the enlargement of high latitudes apparently not?

Because being overrepresented (looking bigger) is typically an advantage. Both are misrepresentations but the direction matters. Some of this is only a real problem if geographical area and population are correlated. Which, at least in broad strokes, is true here.

New comment by jkrems in "Writing "/etc/hosts" breaks the Substack editor"

jkrems — Fri, 25 Apr 2025 16:01:05 +0000

Could this be trivially solved client-side by the editor if it just encoded the slashes, assuming it's HTML or markdown that's stored? Replacing `/etc/hosts` with `/etc/hosts` for storage seems like an okay workaround. Potentially even doing so for anything that's added to the WAF rules automatically by syncing the rules to the editor code.

New comment by jkrems in "A standards-first web framework"

jkrems — Thu, 16 Jan 2025 23:55:54 +0000

> The gap between design and engineering has never been wider.

This seems like such a weird claim to make. This used to be "here's a JPEG, you may beg for the PSD". Not saying that there's no gap today but... never been wider..? Am I missing something about the typical Figma setup that makes it worse than a random JPEG export of one state of the UI?

New comment by jkrems in "A new learning experience on MDN"

jkrems — Wed, 25 Dec 2024 21:24:59 +0000

Being spec compliant means being compliant with the entire spec, not just a "reasonable subset of the spec", picked by the author of the ponyfill/polyfill. And being secure only in the presence of normal inputs is... pretty meaningless afaict? Anything is secure if the inputs are "nice to the implementation". That isn't a typical bar for "it's secure".

Whether every use case that just wants to roundtrip BigInt through JSON _needs_ a fully spec compliant & generally secure solution is a different question. But at that point it's about picking a solution for a related use case, not about actually standing in for the upcoming browser feature.

New comment by jkrems in "Humans Are Evolving Right Before Our Eyes on the Tibetan Plateau"

jkrems — Fri, 25 Oct 2024 15:37:59 +0000

Many (most?) traits require energy to develop and maintain. A stronger muscle will need more energy so there's always pressure to reduce it. That pressure may just be countered by pressures in other directions.

New comment by jkrems in "The HTTP Query Method"

jkrems — Mon, 16 Sep 2024 18:11:29 +0000

> When doing so, caches SHOULD first normalize request content to remove semantically insignificant differences, thereby improving cache efficiency, by: [...]

That part sounds like it's asking for trouble. I'm curious if this will make it to the final draft. If the client mis-identifies which parts of the request body are semantically insignificant, the result would be immediate cache poisoning and fun hard-to-debug bugs.

If it's meant as a "MAY", then that seems kind of meaningless: If the client for some reason knows that one particular aspect of the request body is insignificant, it could just generate request bodies that are normalized in the first place..?

New comment by jkrems in "Why freedom of speech is a wicked problem"

jkrems — Fri, 13 Sep 2024 18:59:17 +0000

So you don't use a spam filter in your inbox? You just subscribe to more emails that you _do_ want to drown out the spam? It's easy to say "just counter with more speech!" but it's harder to see how that works at the scale of a global network with nation state actors, bots, and extreme imbalances of power (100 people dogpiling onto 1 person).

New comment by jkrems in "(Unsuccessfully) Fine-tuning GPT to play "Connections""

jkrems — Tue, 16 Jan 2024 03:37:44 +0000

Apart from the "it just explained the already ordered groups in the question" problem, it didn't even explain one of the groups correctly. "Something about coat(ing) and food" is not the correct explanation, it's missing a lateral logic step there to go from food-related to a separate meaning.

New comment by jkrems in "HTML Web Components"

jkrems — Mon, 13 Nov 2023 16:54:18 +0000

If you have a static frontend bundle, isn't that just SSG (static site generation)? And if you can generate the site at build time, what's the fundamental difference between any of the non-web component SSG solutions and a web component SSG solution? Sure, you can pretend like there will be "no build step". But only if you're fine with "no proper cache headers" (and a long tail of other things). So in practice - hopefully there _will_ be a build step anyhow.

New comment by jkrems in "Find bilingual baby names"

jkrems — Sat, 11 Nov 2023 19:11:43 +0000

The dataset seems pretty unreliable. For example this page claims both that "Kai" isn't a name used in German: https://mixedname.com/name/kai. But then half of the "celebrities named Kai" are... German.

I wonder what the source for the names is. Kai is #289 in at least one list of the most popular names given to German kids in 2022: https://www.beliebte-vornamen.de/jahrgang/j2022/top-500-2022. So I'm surprised that it wouldn't show up in a list of >1000 "German" names.

New comment by jkrems in "Bun v1.0.0"

jkrems — Fri, 08 Sep 2023 15:29:20 +0000

Congrats on 1.0!

New comment by jkrems in "A regular expression to check for prime numbers (2007)"

jkrems — Wed, 21 Jun 2023 13:30:55 +0000

And that article says:

> Perl regexes have become a de facto standard, having a rich and powerful set of atomic expressions.

New comment by jkrems in "Sensenmann: Code Deletion at Scale"

jkrems — Sun, 30 Apr 2023 01:19:17 +0000

That's a question of policy, not of repo structure. A monorepo can still have certain parts of the repo protected by access control. One repo doesn't mean "all files share one read permission".