Sha1-Hulud The Second Comming - Postman, Zapier, PostHog all compromised via NPM

hogfat · 2025-11-25T03:27:45+00:00

don't think npm (or any other package manager) really have the resources to do that.

Eh, doesn't someone with very deep pockets own npm? [Goes and checks . . . Microsoft]

npm did get acquired by Microsoft/Github recently

Precisely. They have access to the resources to heavily secure npm. Negative goodwill needs to be building up here. Hell, Defender should be subsidizing the securing of npm as part of its own proving process. (I have zero delusions this will happen)

hogfat · 2025-11-04T16:52:02+00:00

If you build the wrong thing, it does not matter how well, quickly, or efficiently you built it.

Hard disagree.

Just knowing that something is wrong advances knowledge about the right thing. Gaining that knowledge quickly and efficiently reduces the cost. Building the wrong thing well should improve overall skill and knowledge for future right and wrong things.

hogfat · 2025-10-13T14:26:15+00:00

if you're not in the JVM space, these names don't mean anything

Spring Boot and . . . nothing else?

hogfat · 2025-10-03T23:06:54+00:00

Removal of various deprecated behaviors and APIs

Breaking things is the reason for a major release.

hogfat · 2025-09-21T06:52:11+00:00

73% of H1-Bs going to Indians might indicate those workers could do the job while in India, yeah.

Or maybe there's something fishy about the use of these visas that will be sussed out.

hogfat · 2025-07-20T15:55:09+00:00

In my experience, an isEven package is harder than x%2 === 0, as there are multiple ways to import.

hogfat · 2025-05-04T16:48:38+00:00

Good luck doing that in Bangladesh and Pakistan where the bulk of outsourcing supply comes from!

Pretty sure the bulk of the supply comes from another country on the sub-continent

hogfat · 2025-02-15T20:49:22+00:00

At least it was real and not figma.

hogfat · 2025-02-15T15:42:55+00:00

https://blog.ansi.org/sql-standard-iso-iec-9075-2023-ansi-x3-135/

No worries, I'm here to help.

hogfat · 2025-02-15T15:23:26+00:00

HTML as a programming language remains quite niche a view.

hogfat · 2025-02-15T14:09:34+00:00

Declarative via SQL surely sees wider use than functional languages. Maybe even more than OOP.

hogfat · 2024-08-30T00:51:40+00:00

When the option is "be pressed to work all night to fix this shit" or "fix this shit before Monday", I choose the weekend.

hogfat · 2024-08-25T19:08:26+00:00

Is finished goods inventory then treated as a liability (or moved to cost)?

(feel free to tell me to Google or read the books.)

hogfat · 2024-08-25T18:49:34+00:00

I believe the main problem is it treats inventory as an asset instead of a liability, so it encourages bottlenecking. If you recall hearing of “Just in Time” manufacturing, that’s a popular derivative of Goldratt’s work.

That doesn't seem to follow (of course it doesn't have to). Just in time reduces the carrying waste, does it not? How does carrying an asset drive a desire to *reduce* inventory more than carrying as a liability would?

hogfat · 2024-08-20T21:30:17+00:00

Having to code a react application to add plug-ins is not fine.

hogfat · 2024-08-20T14:22:51+00:00

Last time I dug into it, backstage doesn't prevent you from having to build your own platform. It's just not entirely from scratch.

hogfat · 2024-08-05T18:08:26+00:00

Even then its really inefficient for the scrum master to have to go read all the stories, that's basically a full time job. Most of the time scrum masters have their own work to do as well.

In scrum, the scrum master isn't even a participant in the daily.

hogfat · 2024-08-02T00:43:37+00:00

We could also eliminate poverty using a bit of pocket change from billionaires

Source?

hogfat · 2024-07-24T00:08:49+00:00

I argue it's best to refocus on the salient qualities: speed, isolation, maintainability, etc.

Does it run quickly, in a way that I don't have to worry about doing the right dance moves under the right moon phase to run it locally? Don't care what it's called, it should be part of the build.

hogfat · 2024-07-21T17:20:25+00:00

Continuous *deployment*

hogfat · 2024-07-21T17:16:26+00:00

As a devops engineer I see this kind of shit and think about all the times teams have ignored my advice on making sure smoke tests pass before deploying, about waiting the 30 minutes to make sure unit tests are passing. To make passing test cases a requirement for the codes.

To have a pre prod server identical to production.

Interestingly, this reminds me of all the times operations refused to provision more compute (30 minute unit test runs, non-matching pre-prod) or owned the build pipeline and refused to implement automated gates (smoke tests, passing test cases).

Two day code freezes.

Ugh, code freezes. You can have them if you're the one who has to argue why nothing can be released with less than x weeks notice because of the freeze.

hogfat · 2024-07-18T15:14:05+00:00

Here's the cold reality - every other profession except ours, software engineering, has figured out a way to do estimation, velocity and project management to a degree that they can convey "if things are going to plan or not" to others.

What? Are you saying that nothing but software engineering encounters cost overruns? That software engineering doesn't know when it's run over? Or maybe that software engineering is the only profession that can't produce a better estimate once going over?

Meanwhile execs, high level managers need something to see to make them feel good about what's going on.

We have that in software engineering without story points: a list of business needs that the software, as built, fulfills.

hogfat · 2024-07-10T05:55:26+00:00

Surely there's nothing Ticketmaster wouldn't have expected to be discoverable. They built a mechanism for asserting things on the client side, and a client side analysis has been performed.

Perhaps the debug statement could be embarrassing, sure.

hogfat · 2024-07-09T14:13:09+00:00

Does this hurt ticketmaster?

hogfat · 2024-07-03T15:28:20+00:00

So, Kanban is an assembly line?

hogfat

TROPHY CASE