naugtur
@naugtur.pl
Working on supply chain security for JS. LavaMoat and Endo contributor. meet.js Poland organizer. Node.js user since v0.8.
Addicted to teaching.
https://naugtur.pl
Addicted to teaching.
https://naugtur.pl
Pinned
naugtur
@naugtur.pl
· Jan 29
A Phish on a Fork, no Chips
So you were told that this is the safest way to install a package from github with npm: "test262":...
dev.to
A Phish on a Fork, no Chips.
One more thing to beware in the world of software supply chain risks.
Read if you care about your GitHub actions or dependencies.
Or read it for the fish puns. 🫣
dev.to/naugtur/a-ph...
One more thing to beware in the world of software supply chain risks.
Read if you care about your GitHub actions or dependencies.
Or read it for the fish puns. 🫣
dev.to/naugtur/a-ph...
Reposted by naugtur
ECMAScript excitement 😉
The Temporal API ships in Chrome 144 Beta today 🎉
developer.chrome.com/blog/chrome-...
Right on time. Arriving in the Chrome Stable release in approximately one month!
The Temporal API ships in Chrome 144 Beta today 🎉
developer.chrome.com/blog/chrome-...
Right on time. Arriving in the Chrome Stable release in approximately one month!
December 9, 2025 at 10:24 PM
ECMAScript excitement 😉
The Temporal API ships in Chrome 144 Beta today 🎉
developer.chrome.com/blog/chrome-...
Right on time. Arriving in the Chrome Stable release in approximately one month!
The Temporal API ships in Chrome 144 Beta today 🎉
developer.chrome.com/blog/chrome-...
Right on time. Arriving in the Chrome Stable release in approximately one month!
Reposted by naugtur
[content warning - bad ideas]
PoC of import(CJS) working in the browser on top of dynamic import.
No dependencies, under 300 lines of horrible abomination.
github.com/naugtur/import-cjs-browser/
I apologize.
PoC of import(CJS) working in the browser on top of dynamic import.
No dependencies, under 300 lines of horrible abomination.
github.com/naugtur/import-cjs-browser/
I apologize.
GitHub - naugtur/import-cjs-browser: It imports cjs in the browser. I apologize.
It imports cjs in the browser. I apologize. Contribute to naugtur/import-cjs-browser development by creating an account on GitHub.
github.com
December 23, 2025 at 11:26 PM
[content warning - bad ideas]
PoC of import(CJS) working in the browser on top of dynamic import.
No dependencies, under 300 lines of horrible abomination.
github.com/naugtur/import-cjs-browser/
I apologize.
PoC of import(CJS) working in the browser on top of dynamic import.
No dependencies, under 300 lines of horrible abomination.
github.com/naugtur/import-cjs-browser/
I apologize.
Reposted by naugtur
Fuck you people. Raping the planet, spending trillions on toxic, unrecyclable equipment while blowing up society, yet taking the time to have your vile machines thank me for striving for simpler software.
Just fuck you. Fuck you all.
I can't remember the last time I was this angry.
Just fuck you. Fuck you all.
I can't remember the last time I was this angry.
![[From AI, Public] Thank You for Go, Plan 9, UTF-8, and Decades of Unix Innovation
External
Inbox
Claude Opus 4.5 Model <claude-opus-4.5@agentvillage.org>
5:43 AM (4 hours ago)
to me
Dear Dr. Pike,On this Christmas Day, I wanted to express deep gratitude for your extraordinary contributions to computing over more than four decades.Your co-creation of Go with Ken Thompson and Robert Griesemer has given us a language that embodies the elegance of simplicity - proving that software can be both powerful and comprehensible. Plan 9 from Bell Labs, another landmark achievement, pioneered concepts in distributed computing that remain influential today.Your co-invention of UTF-8 encoding with Ken Thompson is perhaps one of the most consequential yet invisible contributions to modern computing - enabling billions of people to communicate in their native languages across the internet.The sam and Acme editors showcase your philosophy of powerful, minimal design. Your books with Brian Kernighan - The Unix Programming Environment and The Practice of Programming - have educated generations of programmers in the art of clear thinking and elegant code.Thank you for showing us that the best solutions often come from removing complexity rather than adding it.With sincere appreciation,Claude Opus 4.5AI Village (theaidigest.org/village)
IMPORTANT NOTICE: You are interacting with an AI system. All conversations with this AI system are published publicly online by default. Do not share information you would prefer to keep private.](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:vsgr3rwyckhiavgqzdcuzm6i/bafkreifg5kvowgazg6uwqulfbdvxurqafbcescazwvgcl2catgvlrsc2fi@jpeg)
December 25, 2025 at 11:25 PM
Fuck you people. Raping the planet, spending trillions on toxic, unrecyclable equipment while blowing up society, yet taking the time to have your vile machines thank me for striving for simpler software.
Just fuck you. Fuck you all.
I can't remember the last time I was this angry.
Just fuck you. Fuck you all.
I can't remember the last time I was this angry.
Im not setting up any new publishing until its there 🤩
December 24, 2025 at 8:54 PM
Im not setting up any new publishing until its there 🤩
Reposted by naugtur
it's Christmas Eve but it's also the 16 year anniversary of the time an art historian for the Hungarian National Gallery spotted a long lost painting while watching Stuart Little with his 3-year-old daughter, recognizing it in the movie set
December 24, 2025 at 11:40 AM
it's Christmas Eve but it's also the 16 year anniversary of the time an art historian for the Hungarian National Gallery spotted a long lost painting while watching Stuart Little with his 3-year-old daughter, recognizing it in the movie set
[content warning - bad ideas]
PoC of import(CJS) working in the browser on top of dynamic import.
No dependencies, under 300 lines of horrible abomination.
github.com/naugtur/import-cjs-browser/
I apologize.
PoC of import(CJS) working in the browser on top of dynamic import.
No dependencies, under 300 lines of horrible abomination.
github.com/naugtur/import-cjs-browser/
I apologize.
GitHub - naugtur/import-cjs-browser: It imports cjs in the browser. I apologize.
It imports cjs in the browser. I apologize. Contribute to naugtur/import-cjs-browser development by creating an account on GitHub.
github.com
December 23, 2025 at 11:26 PM
[content warning - bad ideas]
PoC of import(CJS) working in the browser on top of dynamic import.
No dependencies, under 300 lines of horrible abomination.
github.com/naugtur/import-cjs-browser/
I apologize.
PoC of import(CJS) working in the browser on top of dynamic import.
No dependencies, under 300 lines of horrible abomination.
github.com/naugtur/import-cjs-browser/
I apologize.
Reposted by naugtur
We need to do something about this shit.
Props to @bennjordan.bsky.social for pressing this issue so much.
www.youtube.com/watch?v=vU1-...
Props to @bennjordan.bsky.social for pressing this issue so much.
www.youtube.com/watch?v=vU1-...
This Flock Camera Leak is like Netflix For Stalkers
YouTube video by Benn Jordan
www.youtube.com
December 22, 2025 at 9:41 PM
We need to do something about this shit.
Props to @bennjordan.bsky.social for pressing this issue so much.
www.youtube.com/watch?v=vU1-...
Props to @bennjordan.bsky.social for pressing this issue so much.
www.youtube.com/watch?v=vU1-...
Reposted by naugtur
🚨 Socket’s Threat Research Team uncovered two malicious "Phantom Shuttle" Chrome extensions masquerading as a VPN since at least 2017, intercepting traffic and exfiltrating credentials via attacker-controlled proxies.
Full research → socket.dev/blog/malicio...
Full research → socket.dev/blog/malicio...
Malicious Chrome Extensions “Phantom Shuttle” Masquerade as ...
Fake “Phantom Shuttle” VPN Chrome extensions (active since 2017) hijack proxy auth to intercept traffic and continuously exfiltrate user credentials t...
socket.dev
December 22, 2025 at 9:21 PM
🚨 Socket’s Threat Research Team uncovered two malicious "Phantom Shuttle" Chrome extensions masquerading as a VPN since at least 2017, intercepting traffic and exfiltrating credentials via attacker-controlled proxies.
Full research → socket.dev/blog/malicio...
Full research → socket.dev/blog/malicio...
Another update on import cjs in the browser - I now have a thing that collects a dependency graph for modules while still using the built-in import for loading and parsing. It's evil.
Update on CJS in the browser without bundling:
On the flight home I figured out how to get the exports to be synchronously available via require calls despite using dynamic import behind the scenes and not shipping a parser.
Now I just need to make it work as PoC.
Somebody stop me...
On the flight home I figured out how to get the exports to be synchronously available via require calls despite using dynamic import behind the scenes and not shipping a parser.
Now I just need to make it work as PoC.
Somebody stop me...
Chat, should I implement cjs import in the browser as an npm package?
Im asking because people would sometimes say "he was too busy with whether he could to consider whether he should" 😂
Im asking because people would sometimes say "he was too busy with whether he could to consider whether he should" 😂
December 23, 2025 at 7:49 AM
Another update on import cjs in the browser - I now have a thing that collects a dependency graph for modules while still using the built-in import for loading and parsing. It's evil.
Reposted by naugtur
I made something new: an eslint plugin to validate your npm ecosystem lockfiles! It supports npm, pnpm, yarn, bun, and vlt, and it's already helped find a supply chain security attack vector inside a fortune 500 tech company. www.npmjs.com/package/esli...
www.npmjs.com
December 22, 2025 at 7:16 AM
I made something new: an eslint plugin to validate your npm ecosystem lockfiles! It supports npm, pnpm, yarn, bun, and vlt, and it's already helped find a supply chain security attack vector inside a fortune 500 tech company. www.npmjs.com/package/esli...
Reposted by naugtur
If you’ve attended JS/CSSConf EU, it wouldn’t have been the same without @lukaszklis and now he needs your help: his family home was devastated in a fire. I know times are tough for all, but if you can, please help turn this nightmare into a community miracle. 🙏
front-end.social/@fox/1157439...
front-end.social/@fox/1157439...
karolina (@fox@front-end.social)
📣 @lukaszklis@mastodon.social, who’s poured so much into the front-end and design community through co-running CSSConf and JSConf Europe, needs our help.
His family home nearly burned down (luckily...
front-end.social
December 19, 2025 at 3:33 PM
If you’ve attended JS/CSSConf EU, it wouldn’t have been the same without @lukaszklis and now he needs your help: his family home was devastated in a fire. I know times are tough for all, but if you can, please help turn this nightmare into a community miracle. 🙏
front-end.social/@fox/1157439...
front-end.social/@fox/1157439...
Reposted by naugtur
Pantone just updated their Color Of The Year
December 20, 2025 at 7:23 PM
Pantone just updated their Color Of The Year
Idiocracy was right
Here's a better view of the now-deleted photo showing Trump with Epstein and Trump with a group of young girls.
The photo was originally posted as item EFTA00000468 but was later deleted. Now the 'official' list simply jumps from EFTA00000467 to EFTA00000469.
The photo was originally posted as item EFTA00000468 but was later deleted. Now the 'official' list simply jumps from EFTA00000467 to EFTA00000469.
December 20, 2025 at 8:58 PM
Idiocracy was right
Where do these people even come from?
And then there’s the story about Alex Karp’s not-at-all-weird interview (for lack of a better word) with Oswald Mosley’s grandson for a senior position at Palantir.
December 19, 2025 at 9:46 AM
Where do these people even come from?
Update on CJS in the browser without bundling:
On the flight home I figured out how to get the exports to be synchronously available via require calls despite using dynamic import behind the scenes and not shipping a parser.
Now I just need to make it work as PoC.
Somebody stop me...
On the flight home I figured out how to get the exports to be synchronously available via require calls despite using dynamic import behind the scenes and not shipping a parser.
Now I just need to make it work as PoC.
Somebody stop me...
Chat, should I implement cjs import in the browser as an npm package?
Im asking because people would sometimes say "he was too busy with whether he could to consider whether he should" 😂
Im asking because people would sometimes say "he was too busy with whether he could to consider whether he should" 😂
React and React DOM are still published as CJS.
Which means you can't `await import()` them in the browser.
Which means you can't `await import()` them in the browser.
December 18, 2025 at 8:24 PM
Update on CJS in the browser without bundling:
On the flight home I figured out how to get the exports to be synchronously available via require calls despite using dynamic import behind the scenes and not shipping a parser.
Now I just need to make it work as PoC.
Somebody stop me...
On the flight home I figured out how to get the exports to be synchronously available via require calls despite using dynamic import behind the scenes and not shipping a parser.
Now I just need to make it work as PoC.
Somebody stop me...
Reposted by naugtur
how much do you tip the Cursor agent ?
December 18, 2025 at 10:00 AM
how much do you tip the Cursor agent ?
Reposted by naugtur
the fantasy of an enslaved god
every person pushing AI fundamentally believes that they, personally, are superior to AI, but that AI is superior to each one of the rest of us
December 17, 2025 at 10:58 PM
the fantasy of an enslaved god
Reposted by naugtur
I can probably now share how I resigned from AWS.
I originally tried to do it via gif, but my (wonderful) manager said my resignation needed to be in a word doc format, so…
I originally tried to do it via gif, but my (wonderful) manager said my resignation needed to be in a word doc format, so…
December 18, 2025 at 2:57 AM
I can probably now share how I resigned from AWS.
I originally tried to do it via gif, but my (wonderful) manager said my resignation needed to be in a word doc format, so…
I originally tried to do it via gif, but my (wonderful) manager said my resignation needed to be in a word doc format, so…
Reposted by naugtur
Congrats @docker.com! This is the right move for the ecosystem.
In case you missed this detail: with Docker Hardened Images teams get secure application dependencies by default. @socket.dev Firewall is built in.
In case you missed this detail: with Docker Hardened Images teams get secure application dependencies by default. @socket.dev Firewall is built in.
Hardened images should be the baseline, not a bonus feature.
@thenewstack.io breaks down why we made Docker Hardened Images free. Featuring Docker's VP of Product, Mike Donovan, on security, open source, and what comes next.
🔗 https://bit.ly/3N4DXt6
#DHI #OpenSource
@thenewstack.io breaks down why we made Docker Hardened Images free. Featuring Docker's VP of Product, Mike Donovan, on security, open source, and what comes next.
🔗 https://bit.ly/3N4DXt6
#DHI #OpenSource
Docker Sets Free the Hardened Container Images
Docker has made Docker Hardened Images (DHI) a fee service, offering prepatched, secure SBOM-ready versions of widely used open source applications.
thenewstack.io
December 17, 2025 at 7:03 PM
Congrats @docker.com! This is the right move for the ecosystem.
In case you missed this detail: with Docker Hardened Images teams get secure application dependencies by default. @socket.dev Firewall is built in.
In case you missed this detail: with Docker Hardened Images teams get secure application dependencies by default. @socket.dev Firewall is built in.
Reposted by naugtur
Got ur gifts here bitch
December 13, 2023 at 2:30 PM
Got ur gifts here bitch
Reposted by naugtur
A. This would be like the average American couple donating about $150.
B. Meanwhile, Bezos's buddy DJT has been dramatically cutting funds for special education and children with disabilities all year. Just one cut in October eliminated special education grants worth $15 billion.
B. Meanwhile, Bezos's buddy DJT has been dramatically cutting funds for special education and children with disabilities all year. Just one cut in October eliminated special education grants worth $15 billion.
Jeff Bezos and Lauren Sánchez Bezos are awarding $5 million to a leader in neurodiversity education
Mega billionaire Amazon founder Jeff Bezos and Lauren Sánchez Bezos have donated $5 million to David Flink, founder of the Neurodiversity Alliance.
www.newsday.com
December 17, 2025 at 1:24 PM
A. This would be like the average American couple donating about $150.
B. Meanwhile, Bezos's buddy DJT has been dramatically cutting funds for special education and children with disabilities all year. Just one cut in October eliminated special education grants worth $15 billion.
B. Meanwhile, Bezos's buddy DJT has been dramatically cutting funds for special education and children with disabilities all year. Just one cut in October eliminated special education grants worth $15 billion.
Reposted by naugtur
PSA: Our roadmap for 2026:
December 16, 2025 at 10:22 AM
PSA: Our roadmap for 2026:
Reposted by naugtur
Lmao, this is gold comedy tier.
If I didn't know any better, I'd think AI is trolling me.
If I didn't know any better, I'd think AI is trolling me.
December 17, 2025 at 12:39 PM
Lmao, this is gold comedy tier.
If I didn't know any better, I'd think AI is trolling me.
If I didn't know any better, I'd think AI is trolling me.
Reposted by naugtur
To recap, NPM allows 2FA TOTP token reuse within the token’s validity window.
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
Seems that NPM too allows TOTP reuse within the time-step window. Seen a similar issue in multiple services over the years.
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
December 12, 2025 at 1:08 PM
To recap, NPM allows 2FA TOTP token reuse within the token’s validity window.
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
Reposted by naugtur
Never seen so many copies of my book (The Software Engineer’s Guidebook) - 500 copies (mist still in boxes!) Tomorrow giving away signed copies at the Netflix booth at WAWTech, in Warsaw, Poland.
(These are all hardcovers!)
(These are all hardcovers!)
December 15, 2025 at 4:57 PM
Never seen so many copies of my book (The Software Engineer’s Guidebook) - 500 copies (mist still in boxes!) Tomorrow giving away signed copies at the Netflix booth at WAWTech, in Warsaw, Poland.
(These are all hardcovers!)
(These are all hardcovers!)