Hacker News: theodorejb

In my petrol-powered Prius I average 52 MPG, so at the current price of gas ($2.60/gallon) I pay $0.50 to drive 10 miles - less than the listed cost to drive an electric car the same distance.

New comment by theodorejb in "The rise of eyes began with just one"

theodorejb — Tue, 24 Feb 2026 04:55:46 +0000

How would the photosensitivity and wiring to muscles come about at the same time?

New comment by theodorejb in "The rise of eyes began with just one"

theodorejb — Tue, 24 Feb 2026 02:36:00 +0000

What benefit is an eye unless there is also the capability of processing and using the information? How would both evolve simultaneously?

New Era of MySQL Community Engagement

theodorejb — Thu, 12 Feb 2026 18:07:44 +0000

Article URL: https://blogs.oracle.com/mysql/new-era-of-mysql-community-engagement

Comments URL: https://news.ycombinator.com/item?id=46992572

Points: 1

# Comments: 0

New comment by theodorejb in "Reverse engineering a $1B Legal AI tool exposed 100k+ confidential files"

theodorejb — Thu, 04 Dec 2025 01:41:19 +0000

According to the timeline it took more than a week just for Filevine to respond saying they would review and fix the vulnerability. It was 24 days after initial disclosure when he confirmed the fix was in place.

New comment by theodorejb in "Shai-Hulud Returns: Over 300 NPM Packages Infected"

theodorejb — Tue, 25 Nov 2025 03:41:26 +0000

My guess would be so they don't have to embed an IP address or hostname in the malware to send secrets to, which could then be blocked or taken down.

New comment by theodorejb in "Shai-Hulud Returns: Over 300 NPM Packages Infected"

theodorejb — Mon, 24 Nov 2025 21:42:06 +0000

Someone could be tricked into giving their npm credentials to the attacker (e.g. via a phishing email), and then the attacker publishes new versions of their packages with the malicious diff. Then when the infected packages are installed, npm runs the malicious preinstall script which harvests secrets from the new machine, and if these include an npm token the worm can see which packages it has access to publish, and infect them too to continue spreading.

KeePassXC 2.7.11 Released

theodorejb — Mon, 24 Nov 2025 03:03:03 +0000

Article URL: https://keepassxc.org/blog/2025-11-23-2.7.11-released/

Comments URL: https://news.ycombinator.com/item?id=46029901

Points: 4

# Comments: 0

PHP 8.5 Released

theodorejb — Thu, 20 Nov 2025 19:11:56 +0000

Article URL: https://www.php.net/releases/8.5/en.php

Comments URL: https://news.ycombinator.com/item?id=45996418

Points: 16

# Comments: 4

Alchemy

theodorejb — Mon, 10 Nov 2025 15:39:56 +0000

Article URL: https://joshcollinsworth.com/blog/alchemy

Comments URL: https://news.ycombinator.com/item?id=45876969

Points: 1

# Comments: 0

New comment by theodorejb in "Eating stinging nettles"

theodorejb — Thu, 06 Nov 2025 13:26:00 +0000

I can testify that steamed stingy nettles with gomasio (toasted sesame seeds and salt) is very delicious.

New comment by theodorejb in "NPM flooded with malicious packages downloaded more than 86k times"

theodorejb — Thu, 30 Oct 2025 22:45:58 +0000

One option to make it a little safer is to add ignore-scripts=true to a .npmrc file in your project root. Lifestyle scripts then won't run automatically. It's not as nice as Pnpm or Bun, though, since this also prevents your own postinstall scripts from running (not just those of dependencies), and there's no way to whitelist trusted packages.

New comment by theodorejb in "NPM flooded with malicious packages downloaded more than 86k times"

theodorejb — Thu, 30 Oct 2025 22:37:44 +0000

Bun also doesn't execute lifestyle scripts by default, except for a customizable whitelist of trusted dependencies:

https://bun.com/docs/guides/install/trusted

New comment by theodorejb in "NPM flooded with malicious packages downloaded more than 86k times"

theodorejb — Thu, 30 Oct 2025 22:27:34 +0000

I would expect to be able to download a package and then inspect the code before I decide to import/run any of the package files. But npm by default will run arbitrary code in the package before developers have a chance to inspect it, which can be very surprising and dangerous.

New comment by theodorejb in "You are the scariest monster in the woods"

theodorejb — Wed, 15 Oct 2025 16:19:27 +0000

> Human cognition was basically bruteforced by evolution

This is an assumption, not a fact. Perhaps human cognition was created by God, and our minds have an essential spiritual component which cannot be reproduced by a purely physical machine.

New comment by theodorejb in "Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised"

theodorejb — Wed, 17 Sep 2025 12:00:39 +0000

Yes it does, since the ignore-scripts option is not enabled by default.

New comment by theodorejb in "Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised"

theodorejb — Tue, 16 Sep 2025 16:50:14 +0000

Many people have non-JS backends and only use npm for frontend dependencies. If a postinstall script runs in a dev or build environment it could get access to a lot of things that wouldn't be available when the package is imported in a browser or other production environment.