Tired of you vibe coding detectives. Who the heck cares? If you don't use AI these days you're not smart. Why call it out, as if you caught them doing something unethical?
You know there's like an entire generation of devs raised hearing "copyright violations are theft, don't do it, it's band"? Unsurprisingly many of these people indeed think that when Anthropic and OpenAI does industrial scale copyright theft that's bad.
Also, calling most of humanity "stupid" is pretty stupid.
Because a lot of us don’t want to see AI slop and it’s very useful to have that pointed out in the comments before I waste time clicking on the link and slowly coming to that realization myself.
The solution is Treasury Inflation Protected Securities (TIPS). You do have to pay taxes on the inflation adjustment (OID income). As long as the interest (after taxes) is higher than taxes on inflation adjustment you're good.
Don't forget about tests. That'll run code for every package that is imported. Yes, imported, because in JS importing means "run all the top level code in this file". So to continue exploiting you just place your malicious code in index.js instead of a postinstall script. Not as guaranteed to run but still very likely.
Build deps are even disregarded as less critical than runtime deps traditionally. So deps like sphynx for building docs are still a dev side supply chain vector.
The reason this may be overlooked is because build deps are only ran by the devs, but not the users, so users dismiss it as safe. However, if a build dep is infected, the infection may spread to the actual package code, which will then of course be run by the user.
Not theoretical, Microsoft is currently under attack by a worm that spreads through vs code extensions, which then spread to actual packages that users run.
> So for that entire class of packages this change makes them safe.
This is misleading. The change addresses one important attack vector. But if one runs the application directly on the host for development, if the package is imported like pointed out in the other comments or the package intends to steal user credentials from production, it is far from "being safe". Safer, but still needs scrutiny.
Docs suggest just using a script tag instead of npm, when using npm install, they suggest to run import statement, which can execute arbitrary code.
The bottom line seems to be that if you are using npm, it's cause you are using node, and therefore you will run the imported code in the server, otherwise you would use a script tag.
But maybe there's a way to define a browser only package or .js URL such that it is only downloaded and served but never executed server side?
In any case, not a huge usecase of npm, which again, is designed for node which is backend.
$100K is a ridiculous amount and would have lead to US losing its edge over other countries. $25K annual fee would be more reasonable, if the foreign worker is also given a competitive salary. That amount is large enough to give US citizens preference, while at the same time enabling tech companies to hire highly skilled workers. And this has to be legislated by congress, the President has no authority to impose this tax.
So basically communism. Communism is a political and economic ideology advocating the collective ownership of the means of production (e.g., factories, farms, and resources) and wealth is distributed based on individual need.
More like that government funded crypto fund scam. And nothing like the post office, although Trump engaged in some wheeling and dealing with one of his cronies there, too.
Basically communism. Communism is a political and economic ideology advocating the collective ownership of the means of production (e.g., factories, farms, and resources) and wealth is distributed based on individual need.
> Anyone who makes products want users of our product to keep coming back as though they are addicted, but not actually addicted.
Can you explain the distinction? I am not seeing it. If I keep refreshing a product page to get another dopamine hit, am I addicted or not addicted but appearing so to your metrics?
Everyone likes a beer analogy (almost as much as CS teachers love car analogies!) so I’ll try and do one that applies in the way I _think_ GP intends:
Brewers want people to want beer, and to perhaps puritans, that desire could appear as “addicted”. However, brewers don’t want addicts - liver failure, destitution, death, are all things I doubt a brewer wants to see in their consumer base because you can’t drink if you don’t have a liver, don’t have money, or don’t have life.
Did I, as a child, think my dad was addicted to alcohol because I saw him drink everyday? I did, that’s the appearance it gave. Was he? Not to the clinical point of addiction, technically - he functioned, maintained relationships and a job, and wasn’t more than occasionally emotionally abusive. He fit the type of customer GP seems to talk about - appearing to be addicted but not wholly, truly addicted.
Are you addicted to your job? You keep going back every single work day. Does that mean you are addicted? Just because you keep repeating an action doesn't mean you're addicted. It just means it is solving a problem for you (such as providing you with a salary to buy food and pay rent) and does it well.
I am not addicted to my job but my employer would like me to be.
I think apps are a different beast. They (generally, with few exceptions) want their users to be addicted. An addicted user is more likely to come back than one that gets a need met. Once that need is fulfilled, they leave.
If companies actually wanted to fill people's needs they wouldn't use dark patterns like having to call to cancel, spamming them without their consent, switching opt-out choices back with updates, etc. Because they use these dirty tricks, it's hard to believe they have the users best interest in mind. They don't. They just want the line to go up.
I've met plenty of people who want to make products that solve problems, even if the product's user only has those problems once in a while. Reaching for a well-liked, well-matched tool whenever a problem arises isn't addicted or quasi-addicted or "as though" addicted behavior.
Once you're thinking about how to keep a user coming back, you're in the mutually adversarial design space, whatever language is used to more pleasantly redecorate that reality.
You can't be a good designer if you aren't thinking about how to get your users to love your product so much that they keep coming back. There are good and bad ways to keep users coming back. The good way is to simply make the product very useful. The bad way is to make the user psychologically dependent on your product in some way.
Yet almost everyone uses dark patterns, which imply they don't think their product is good enough for users to return on their own volition. In fact, I can't think of a single for-profit company that doesn't use at least one dark pattern.
I can think of one such company. Full disclosure: I work for them. It's a successful startup where the entire retention strategy is for our product to be so freaking amazing you'll never want to use anything else. It's been working very well so far. But our product really is freaking amazing.
Since I posted I thought of another one (assuming you don't work for them). But, they really are rare. I see dark patterns everywhere, so I have a visceral reaction to any claims that companies respect users.
There's a race and tug-of-war to frame how interaction with apps works. The addiction word has a strong "think of the children" energy and I would expand any company to want to have their app tagged with the term.
Of course, what exactly "addicted" means in the context of interacting with a program really pretty fuzzy but yeah, "users not in control of themselves" is perhaps the biggest implication (and not necessarily false, mind you). Of course, this is a matter of both degree and social context.
If only we had a social dialog about the real meaning of things labeled addictive, perhaps their terrible impact could be mitigated. But hey, I guess we get policing and moral panics instead.
reply