I feel like a lot of readers are missing the main point. US and European manufactures do not want to enter this low volume zero margin market. The total sales in Latin America (that includes Mexico and South America is around five million units - that is less than half of what is sold in the US each year. And at a price point of 20K it just does not make sense for American and European manufacturers given that their R&as costs are higher than Asian manufacturers and their North American models are too large and expensive for South America markets.
In addition they know that the US is a captive market as the government will not allow Chinese companies to sell their cars here due to data and security concerns.
Given the recent npm attacks, is it even safe to develop using npm. Whenever I start a react project, it downloads hundreds of additional packages which I have mo idea about what they do. As a developer who has learnt programming as a hobby, is it better to stick to some other safe ways to develop front end like thyme leaf or plain js or something else.
When I build backend in flask or Django, I specifically type the python packages that I need. But front end development seems like a Pandora box of vulnerabilities
All package ecosystems that allow unvetted code being published are affected, it just happens that npm is by far the most popular one, so it gets all the news.
Oh man you pick the one other language that followed the JavaScript model?! How about C, Java, Go, Lisp, C#, C++, D… and new ones like Odin that are explicitly against package managers for this very reason.
When you start writing with C, where do you get your stdio.h file? Do you write it yourself, or inspect it line by line every time or do you trust the installation package you just ran?
Hm... if you use something like Debian it's quite difficult to get your package installed in the distro. People do review everything that goes in.
I find it incredibly silly to compare something like that to npm, where every kid has dozens of packages installed that anyone using npm can end up downloading and no one is really reviewing anything.
I agree one is more difficult than the other, but I feel the principal is the same. Whilst anything is built using other modules, there is always risk those modules will be compromised.
What can we do about it indeed!? I guess its either fully digitally detox or accept the fact that if you use modern technology then somebody is watyching what you do.
But it is. Both C/C++ and Go are not at all like this.
I don’t know about Python but Rust ecosystem tends attract enthusiasts who make good single purpose packages but that are abandoned because maintainers move on, or sometimes forked due to minor disagreements similar to how Linux/unix is fragmented with tribal feuds.
M'yea, good luck finding such occurrence with NuGet or Maven for example. I would rephrase your "anywhere else".
NPM is a terrible ecosystem, and trying to defend its current state is a lost cause. The energy should be focused on how to fix that ecosystem instead of playing dumb telling people "it's all ok, look at other, also poorly designed, systems".
Don't forget that Rust's Cargo got heavily inspired by NPM, which is not something to brag about.[0]
> "Rust has absolutely stunning dependency management," one engineer
enthused, noting that Rust's strategy
took inspiration from npm's.
What's wrong with micro dependencies? Isn't it better to download only the code you need? Also it makes refactoring easier, and enforces better architecture.
Larger attack surface - you just need one of those N dependencies to fall for a spear phishing attack and you're cooked. Larger N is necessarily worse.
It depends on the software being written, but if it's a product your business sells or otherwise has an essential dependency on, then the best model available right now is vendoring dependencies.
You still get all the benefits of standing on top of libraries and frameworks of choice, but you've introduced a single point of entry for externally authored code - there are many ways you can leverage that to good effect (vuln scans, licence audits, adding patch overlays etc etc) and you improved the developer experience - when they check out the code, ALL of the code to build and run the project is already present, no separate npm install step.
You can take this model quite a bit further and buy some really useful capabilities for a development team, like dependency upgrades because they're a very deliberate thing now, you can treat them like any other PR to your code base - you can review the changes of each upgrade easily.
There's challenges too - maybe your npm dep builds a native binary as part of it, you now need to provide that build infra / tooling, and very likely you also want robust build artifact and test caching to save wasting lots of time.
Rust has a really big and comprehensive stdlib, especially compared to languages like C or JavaScript. It just decided that certain things won't be solved in the standard lib because there is no obviously-right solution and evolving towards a good solution is much easier in packages than in the stdlib, because the stdlib isn't versioned.
Some of the gaps feel huge, like no random, no time/date handling, and no async runtime. But but for most of them there are canonical packages that 95% of the ecosystem uses, with a huge amount of eyeballs on them. And sometimes a better solution does emerge, like jiff slowly replacing chrono and time for time/date handling.
Obviously this isn't the best solution from a security perspective. There would be less potential for supply chain attacks if everything was in the standard library. But that has to be weighed against the long-term usability of the language
I come from a JavaScript background, and I've got to admit that the ecosystem is designed in a way that is really prone to attack.
It is like the xz incident, except that each dependency you pull is maintained by a random guy on the internet. You have to trust every one of them to be genuine and that they won't fall into any social engineering attacks.
Here's my black pill: Node in general is not safe.
The blurring of the client-server lines is a security risk. Very easy to expose the wrong thing; the language appeals to people who know 1 language (which correlates with lack of experience).
In my personal experience node projects developed under my supervision had very basic client-server boundary vulns 66.67% of the time. Empirically it's not great.
Just a heads up that Pypi isn't immune from the same attack, with "Pypi supply chain attack" into Google revealing a (much smaller) number of packages that turned out to be malware. Some were not misspellings either, with one being a legitimate package that got hacked via GitHub Actions and a malicious payload added to the otherwise legitimate package.
No language ecosystem is but NPM/Node still encourages this idea (borrowed elsewhere and interpreted poorly) that everything must be its own tiny package and that it's acceptable to author libraries consisting of thousands of transitive dependencies from potentially dubious sources. Just this week I saw one (unmaintained dependency of a popular package) which consisted of a list of a dozen SQL operators. Anywhere else you would just write the damn code, maybe add a comment that these are the SQL-92 operators and be done with it literally forever. But in Node land that would be viewed as an antipattern which only another package can fix. It's a security and maintenance nightmare that can only be explained by laziness and outright stupidity.
It's a misconception that NPM or Node encourage this, because they don't. There are a few package authors that are doing it that way (some even paid by download count), but that's their opinion.
Recently there is a trend towards minimal-dependency packages and I would certainly recommend auditing every package for its dependencies before using it.
> As a developer who has learnt programming as a hobby, is it better to stick to some other safe ways to develop front end like thyme leaf or plain js or something else.
Oh, absolutely, there is no question about it. Fewer dependencies means less headache; and if you can get the number of your dependencies to zero, then you have won the internet.
> Unlike other npm clients, Bun does not execute arbitrary lifecycle scripts for installed dependencies, such as `postinstall` and `node-gyp` builds. These scripts represent a potential security risk, as they can execute arbitrary code on your machine.
Hmmm, it still has a pretty extensive default list of permitted npm packages, which wouldn't necessarily be a problem if there were a way to disable it, but I can't seem to find it.
the latter is what i was getting at yeah. updated list of standard library-esque functions implemented in native code so the need to reach to npm for a dependency happens far less often.
I think the root cause of the problem is not insurance companies but they definitely do play a part. The real reasons are multiple but can be listed as below.
1 A very high cost of drugs due to no intervention by the government as part of free market philosophy. This means that the same insulin that costs $25 in Canada can be sold for up to $1000 per month. New introduced drugs for Alzheimer's or other diseases can cost up to 50k per year - again because no price controls.
2. Insanely high prices of services due to a captive market - example a ten minute ambulance ride can cost up from $1000 to $5000. The private ambulance companies know they can charge a high base rate because they are connected to a city or municipality via contracts. Bribes as campaign funds are popular here. E.g. a new York based ambulance operator paid 45k in campaign funds to NY's governor elect and got a contract worth one billion dollars
3. Overcharging by hospitals for medicines and services again due to a captive audience. The hospitals are free to maintain various price books and you are not told what each service will cost at the time of administration of service. lately the hospitals have been forced to open up their price books but they are so convoluted that no normal human can decipher those prices.
Thus a ten cent aspirin would cost you $25 in the hospital and a MRI can run up to 15k.
4. Very high charges for doctors due to strict control on the number of MD positions and no increase in colleges or D seats over multiple years.
5. Insurance companies have a for profit motive and need to extract their profits from premiums paid. Thus they fight tooth and nail to deny procedures and medications and set up convoluted processes for appeals.
6. Extensive fraud on Medicare and other government run health programs especially in durable medical goods and fake billing. In fact one of sitting US senators medical care company was involved in the largest Medicare fraud fines in the US and he still holds his seat.
I think the hill is trying to create a narrative here. The law specifically states to post job postings in newspapers and it is congress's fault if they have not updated the laws.
As per PERM regulations (20 C.F.R. §656.17):
For professional positions (those requiring a bachelor’s degree or higher), the employer must conduct two Sunday newspaper advertisements in a newspaper of general circulation in the area of intended employment.
For non-professional positions, at least one Sunday ad is required.
Instacart sent a cease and desist for trademark violation. You cannot become a middleman for random businesses/services. Kind of similar to how doordash and others got into trouble by hijacking restaurants' order flow without consent.
Finally, someone in this thread says this. Thank you!
This opinion column from The Hill is written by a Fox News contributor. Of course it’s going to leave out certain inconvenient facts in service of a nativist agenda. The HN community time and time again shows that they are ready to be whipped up into an anti-immigrant frenzy at the drop of a hat.
This company which was reviewed in the article has a ton of smartwatches. This is the URL - https://www.colmi.info/
Pick what you like and then search for the same model on Aliexpress. You will usually find most of their models between $10 and $30.
You have to look at Palantir revenue and market cap to justify this. Palantir is around $1B in revenue and around 350B market cap. They build AI solutions for the government. I think OpenAI has something similar in mind. They got the AI part and the government contract part and now just need to capitalize on it. Also from what I have heard, they are at $5B in revenue anyway.
Have heard the same that Teslas eat tires like crazy. But why is that where their weight is comparable to a regular minivan. Is it due to the fast acceleration. If so can tire life be extended if the user is gentle on the accelerometer from zero.
Almost all tire wear comes from accelerating and decelerating. Some from turning and cornering. Basically anytime you are asking them to stick to the road when the car's velocity is changing. Just coasting in a straight line does not cause any significant wear, regardless of weight. (Unless the tires are grossly under-inflated.)
EVs eat tires when people drive them like they're on a race track, which is most of the time.
