I guess we now live in the post-"ads in the npm install log" erapic.twitter.com/pSnBnMDNSg
Show this thread
-
Belated thanks to everybody who independently came up with this horrific idea, and did the sensible thing of burying it at midnight under a new moon instead of acting on it or telling anybody about it. I know I wasn't the only one
Show this thread
I'm tentatively tracing this idea back to the post-install sponsorship message which has been part of the staggeringly widely-used package `core-js` since May 17 of this year, and which I see nearly every day https://github.com/zloirock/core-js/blob/1e14cf0577de17a7410be3f2e8a7ff6f9e15a1b9/packages/core-js/scripts/postinstall.js …
-
-
Be right back, inventing uBlock Origin for npm install scripts
Show this thread -
At present, the way this ad works is that `standard` has a dependency on another new package, `funding`, which does nothing but print one of a hard-coded group of ads at install time https://github.com/feross/funding/blob/master/messages.json …
Show this thread -
So I guess we're not at the point yet where one's machine is dynamically downloading and executing advertisers' code during npm installation. But let's check back in 15 minutes
Show this thread -
This is probably a good time to start investigating mitigations for the kind of scenario where an npm install script tries to make HTTP requests
Show this thread -
Because an npm install script which dynamically loads ad code is a really amazing opportunity to inject "ad" code which, I don't know, scoops up secrets from the local environment and sends them somewhere
Show this thread -
To be clear: we got to this point because people want money. As long as we live in a capitalist society, there's no point where people stop wanting more money. That means ads will eventually permeate every electron of our universe. It is/was inevitable
Show this thread -
No amount of revamping open source software funding structures would have prevented this from happening eventually, nor can it make this go away now it's begun
Show this thread -
Advertising in your install log is going to be as simple as dropping a banner ad on your website. Install log ads are going to have all the same problems and very familiar solutions
Show this thread
End of conversation
New conversation -
-
-
"Vim is Charityware. You can use and copy it as much as you like, but you are encouraged to make a donation for needy children in Uganda."
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.