Isn't that what lockfiles are for? By default `npm i` downloads exactly the versions specified in your lockfile, and only resolves the latest versions matching the ranges specified in package.json if no lockfile exists. But CI/CD pipelines should definitely be using `npm ci` instead, which will only install packages from a lockfile and throws an error if it doesn't exist.
These days compromised packages are often detected automatically by software that scans all packages uploaded to npm like https://socket.dev or https://snyk.io. So I imagine it's still useful to have those services scan these packages first, before they go out to the masses.
Measures like this also aren't meant to be "final solutions" either, but stop-gaps. Slowing the spread can still be helpful when a large scale attack like this does occur. But I'm also not entirely sure how much that weighs against potentially slowing the discovery as well.
Ultimately this is still a repository problem and not a package manager one. These are merely band-aids. The responsibility lies with npm (the repository) to implement proper solutions here.
I've used sendme a few times after coming across Iroh on Bluesky. It's honestly great. Just Works™, very fast, supports files and folders, resumable transfers, one sender to many receivers, and has fast relays as a fallback when a direct connection truly isn't possible, and it will actually tell you whether you have a direct connection or are using a relay (unlike others like Magic Wormhole or Croc from my experience).
One issue I always run into with browser-based terminal emulators or remote desktop clients is that common keyboard shortcuts like Ctrl-W might be used by the browser instead. Accidentally closing your browser tab and thus losing all your state when you just wanted to remove the previous word is quite annoying. It could be nice if a web app was able "capture" the keyboard somehow so that the browser doesn't react to any of its normal shortcuts, which is also commonly done in VM software and remote desktop apps, or I guess similar to input mode in Vim.
An open issue here[1] mentions that PWAs can actually define shortcuts that override browser ones which could be a solution. And someone also mentions using extensions that redefine the Ctrl-W shortcut as a workaround. But afaik both of these solutions rely on defining keyboard shortcuts beforehand which doesn't seem easy to do, given that you'd have to somehow define all of the shortcuts possibly used by your shell, editor, or any other terminal apps.
Massively agreed. I've had this problem for years and always have hundreds, sometimes thousands of tabs open, spread across a couple dozen windows. Memory usage is actually pretty alright with Chrome these days as the vast majority of tabs stay unloaded, and its Memory Saver feature also unloads opened tabs over time, so it's perfectly usable even with 16GB of RAM. Before that I had to use The Great Suspender to keep the memory usage in check.
I feel like I've tried every tab/bookmark managing app/extension under the sun and none of them stuck. I've also thought about creating my own, but it feels like even I don't know what I'm looking for exactly. The main problem I have is that they all have too much friction compared to simply keeping the tabs open. It would have to be something deeply integrated into the browser.
Vivaldi has some really cool tab management features and it would be my main browser of choice, but with my amount of tabs, windows and extensions its UI performance degraded to the point of becoming unusable, whereas Chrome held up just fine. Granted it has been a couple of years since I last tried it so that might have improved since. I'd still recommend anyone with similar "power user" needs to give it a try. It's a pretty awesome browser.
Tab Groups in Chrome are actually surprisingly decent as well. They're pretty low friction, and open tab groups even sync across devices, including mobile, in (near) real time now, which is great. But I do have some issues with them causing me not to use them. For example, when you re-open a closed tab group it will instantly load all of the tabs inside of it, instead of keeping each tab unloaded until visited, like on startup. You also can't add tabs to a closed tab group. So you either always have to keep the tab group open, meaning they're not much more than a visual aid and only slightly more useful than bookmark folders, or store fewer tabs per group, making them even less useful. They also have the same "object permanence" issue as bookmarks, where it's simply too easy to forget about a closed tab group altogether once I close it.
I make a new window for each task in working on keeping the tabs grouped together, and more importantly, make it easy to kill them when the team is done. if I have a group of tabs open for a long time that I'm meaning to read (and I know deep down that I won't but can't admit it to myself) I'll just copy the URLs to a note in Obsidian and lay them to rest.
I've tried a ton of email clients over the years and always end up coming back to Mailspring. Started using ever since it used to be Nylas N1 years ago (which later rebranded to Nylas Mail, then got discontinued and forked into Mailspring).
I actually do think it's the best performing and best looking cross-platform email client, although there are some potential pain points people should probably be aware of:
1. Development has become very stagnant. It's still semi-maintained with small bug fixes every now and then, but it hasn't seen any changes in years. This might also be a good thing depending on how you look at it, it's largely a finished product.
2. There are quite a lot of bugs that have never gotten fixed over the years[1]. I run into these bugs every now and then where e.g. deleting a draft will often also delete the entire thread without you realizing it, leading to unknowingly deleted emails[2]. And sometimes the local sqlite db gets locked/corrupted and you have to reset it[3]. I personally put up with this but I wouldn't expect anyone else to. Especially not non-tech folks. This makes it hard to recommend the app to other people.
3. You're required to have a "Mailspring ID" account to use the app. It doesn't actually do anything useful like synchronize your settings or connected mail accounts. As far as I can tell it's only used to check for a Pro subscription, and probably some telemetry. I don't use any of the Pro features so I can't say how well it works for that. Still required to have it though.
Nonetheless I still use it because no other client seems to have the UI/UX and information density down quite like Mailspring does. And it performs very well even with hundreds of thousands of emails thanks to its C++ sync engine (the UI is Electron, but I'd say it's still pretty snappy, it's one of the better ones). If Gmail ever supports third party IMAP accounts without needing Workspace for it and without needing to have a Gmail address attached to your Google account I would probably just use that instead though.
My favorite client used to use Alto Mail[4], which was a wonderful web and mobile app email client that did support external IMAP accounts. I believe it was created by AOL, but sadly shut down in 2017, shortly after Verizon merged AOL and Yahoo. I've wanted to create a spiritual successor to it ever since, but email standards and HTML email rendering has always seemed like such a massively complicated space. Plus email clients like these are so niche considering that almost everyone simply uses Gmail, Outlook, or their default system mail apps instead that the required effort just doesn't seem worth it. Perhaps I'll still do this someday if I can find the motivation, or maybe I'll try to contribute to Mailspring instead, but for now I just put up with its issues.
Regarding the third point. you are no longer required to have Mailspring ID for sometime now.
For me, what actually makes me not using it is because it does not support Exchange without IMAP support which my university disable. Otherwise it is the best UX/UI email client on Linux.
Oh! You're right. I suppose I just missed the fact that there's now a skip button/text on the set up screen. Thanks for the correction. And yea its Linux/cross-platform support is also one of the main reasons for why I use it.
I do also remember the part about Exchange not being supported if IMAP is disabled. I had the same issue when I tried to use it at a university, but luckily haven't needed that since. Not surprising to hear that it hasn't changed either.
Once atproto has first party support for private records I'm definitely expecting a massive increase in interest. It would open so many doors and is probably the main thing holding back many potential use cases as of now.
This is the original article (as mentioned by Gizmodo) which I submitted to HN yesterday, but it got killed immediately because of the signup wall. It went into the second chance pool (https://news.ycombinator.com/item?id=26998308) just now but not before another article on the same matter was submitted it seems. Not sure what the procedure is in that case. I'll ask dang.
