frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Ask HN: Non AI-obsessed tech forums

17•nanocat•4h ago•10 comments

Ask HN: Anyone Using a Mac Studio for Local AI/LLM?

43•UmYeahNo•1d ago•26 comments

Ask HN: Ideas for small ways to make the world a better place

8•jlmcgraw•7h ago•16 comments

Ask HN: 10 months since the Llama-4 release: what happened to Meta AI?

42•Invictus0•23h ago•11 comments

AI Regex Scientist: A self-improving regex solver

5•PranoyP•8h ago•1 comments

Ask HN: Who wants to be hired? (February 2026)

139•whoishiring•4d ago•510 comments

Ask HN: Who is hiring? (February 2026)

312•whoishiring•4d ago•511 comments

Ask HN: Any International Job Boards for International Workers?

2•15charslong•4h ago•0 comments

Ask HN: Why LLM providers sell access instead of consulting services?

4•pera•15h ago•13 comments

Tell HN: Another round of Zendesk email spam

104•Philpax•2d ago•54 comments

Ask HN: Is Connecting via SSH Risky?

19•atrevbot•1d ago•37 comments

Ask HN: What is the most complicated Algorithm you came up with yourself?

3•meffmadd•16h ago•7 comments

Ask HN: Has your whole engineering team gone big into AI coding? How's it going?

17•jchung•1d ago•12 comments

Ask HN: How does ChatGPT decide which websites to recommend?

5•nworley•1d ago•11 comments

Ask HN: Is it just me or are most businesses insane?

7•justenough•1d ago•5 comments

Ask HN: Mem0 stores memories, but doesn't learn user patterns

9•fliellerjulian•2d ago•6 comments

Ask HN: Anyone Seeing YT ads related to chats on ChatGPT?

2•guhsnamih•1d ago•4 comments

Ask HN: Does global decoupling from the USA signal comeback of the desktop app?

5•wewewedxfgdf•1d ago•2 comments

Ask HN: Is there anyone here who still uses slide rules?

123•blenderob•3d ago•122 comments

Kernighan on Programming

170•chrisjj•4d ago•61 comments

We built a serverless GPU inference platform with predictable latency

5•QubridAI•1d ago•1 comments

Ask HN: How Did You Validate?

4•haute_cuisine•1d ago•4 comments

Ask HN: Cheap laptop for Linux without GUI (for writing)

15•locusofself•3d ago•16 comments

Ask HN: Have you been fired because of AI?

17•s-stude•3d ago•15 comments

Test management tools for automation heavy teams

2•Divyakurian•1d ago•2 comments

Ask HN: Does a good "read it later" app exist?

7•buchanae•3d ago•18 comments

Ask HN: OpenClaw users, what is your token spend?

14•8cvor6j844qw_d6•4d ago•6 comments

Ask HN: Anyone have a "sovereign" solution for phone calls?

11•kldg•3d ago•1 comments

Ask HN: Has anybody moved their local community off of Facebook groups?

23•madsohm•4d ago•17 comments

How do you deal with SEO nowadays?

5•jackota•1d ago•8 comments
Open in hackernews

Tell HN: Camelgate NPM Outage (Cloudflare)

122•bavarianbob•10mo ago
EDIT: Back online?!

NPM discussion: https://github.com/npm/cli/issues/8203

NPM incident: https://status.npmjs.org/incidents/hdtkrsqp134s

Cloudflare messaging: https://www.cloudflarestatus.com/incidents/gshczn1wxh74

GitHub issue: https://github.com/sindresorhus/camelcase/issues/114

Anyone experiencing npm outage that's more than just the referenced camelcase package?

Comments

Recursing•10mo ago
Any path with the word "camel" seem to trigger this: https://www.npmjs.com/search?q=camel | https://registry.npmjs.org/camel123 | https://registry.yarnpkg.com/camel456

Some discussion here https://github.com/npm/cli/issues/8203

Edit: this is resolved now https://status.npmjs.org/incidents/hdtkrsqp134s

tom_usher•10mo ago
Seems to be a change in Cloudflare's managed WAF ruleset - any site using that will have URLs containing 'camel' blocked due to the 'Apache Camel - Remote Code Execution - CVE:CVE-2025-29891' (a9ec9cf625ff42769298671d1bbcd247) rule.

That rule can be overridden if you're having this issue on your own site.

cbovis•10mo ago
Confirmed here: https://www.cloudflarestatus.com/incidents/gshczn1wxh74
oncallthrow•10mo ago
WAFs are so shit
ronsor•10mo ago
WAFs are literally "a pile of regexes can secure my insecure software"
mschuster91•10mo ago
To be fair to WAFs, most are more than just a pile of regexes. Things like detecting bot traffic - be it spammers or AI scrapers - are valuable (ESPECIALLY the AI scraper detection, because unlike search engines these things have zero context recognition or respect for robots.txt and will just happily go on and ingest very heavy endpoints), and the large CDN/WAF providers can do it even better because they can spot shit like automated port scanners, Metasploit or similar skiddie tooling across all the services that use them.

Honestly what I'd _love_ to see is AWS, GCE, Azure, Fastly, Cloudflare and Akamai band together and share information about such bad actors, compile evidence lists and file abuse reports against their ISP - or in case the ISP is a "bulletproof hoster" or certain enemy states, initiate enforcement actors like governments to get these bad ISPs disconnected from the Internet.

randunel•10mo ago
Why would scrapes get blocked, is scrapping illegal?
eitland•10mo ago
I don't know if it is, but I also don't think we are required to let dumb bots repeatedly assault or web sites if we can find a technical way to get around it.
Xylakant•10mo ago
It's very often not, but it's still the website owners property and if they choose so, they can show misbehaving guests the door and kindly ask to remain on the other side (aka block them). Large scale scraping puts substantial burden on web properties. I was paged the other night because someone decided it would be a great idea to throw 200 000rq/s for a few minutes at some publicly available volunteer run service.
cluckindan•10mo ago
They do mitigate known vulnerabilities.
rcxdude•10mo ago
They may mitigate known proofs of concept of vulnerabilities, and require a small amount of creativity to work around. At the cost of randomly breaking things.
cluckindan•10mo ago
That creativity takes time. WAFs are the first line of defence, buying some time for fixing the actual vulnerabilities.
UltraSane•10mo ago
But are they less shit than the shitty software they filter traffic for?
internetter•10mo ago
> any site using that will have URLs containing 'camel' blocked

What engineer at cloudflare thought this was a good resolution?

Raed667•10mo ago
I doubt the system is that simple. No one wrote a rule saying `if url.contains("camel") then block()` it's probably an unintended side-effect
keithwhor•10mo ago
If this is a bet, I'll happily take the other side and give you 4:1 on it.
dgfitz•10mo ago
Me too.
ycombinatrix•10mo ago
Akamai has been doing precisely that for years & years...
benoau•10mo ago
I think you can include advertising/privacy block lists in that vein too, although that allows for the users to locally-correct any issues.
isbvhodnvemrwvn•10mo ago
Judging by previous outages it was probably a poorly tested overcomplicated regex which matched to much.
nwalters512•10mo ago
The npm folks have officially acknowledged an incident now: https://status.npmjs.org/incidents/hdtkrsqp134s
mplanchard•10mo ago
Glad you posted something, thought I was going nuts
klysm•10mo ago
This is what you get when you buy security as an add-on product
troyvit•10mo ago
Some orgs can't afford not to.
drusepth•10mo ago
Is this also why unpkg has been up and down all morning?
ycombinatrix•10mo ago
unpkg barely works even when there's no incident
pvg•10mo ago
This is not CF WAF's first rodeo https://news.ycombinator.com/item?id=20421538

Cementing its track record as a product that mostly doesn't do anything except for occasionally break the internet here and there to keep things fun and interesting.

calvinmorrison•10mo ago
we've used it to rescue some vintage appliances that are basically unsecurable.
AdamJacobMuller•10mo ago
I'm not sure why "WAF has false positives" makes it useless, nor would I say this is anywhere near the scale of "breaking the internet" and I'm not even fan of the concept of WAFs in general.
pvg•10mo ago
The last one took out a lot more stuff than this one but the argument is the same - this product is a checkmark thing and when it's not fulfilling its checkmark purpose, it causes outages. Still an amusing bi-modality! I suppose it shares it with DNSSEC.
misiek08•10mo ago
Basically CF default WAF settings saved more small and medium companies I can even count to. I’m not CF fan, but WAFs (with rate limiting) do help. Sad that one or two incidents for that complicated and big services make people post such comments, but cmon - it doesn’t have AI in it's name so sheeps have to cry, right?
lynnesbian•10mo ago
> a product that mostly doesn't do anything except for occasionally break the internet

I wouldn't say that. The postmortem you referred to links to another CloudFlare blog post - one about a pretty serious RCE vuln in Microsoft SharePoint that was blocked by their WAF: https://blog.cloudflare.com/stopping-cve-2019-0604/

pvg•10mo ago
I mean, it's hardly surprising CloudFlare will tell you this is a useful product. But it is to securing a web application what regex is to parsing HTML.
jiggawatts•10mo ago
Sadly I work with web developers that all assume they don’t need to bother too much with security “because we have a WAF”.
miyuru•10mo ago
Outsourcing WAF is a double-edged sword.

I would have thought a large company like GitHub or Microsoft can have their own WAF team for their apps.

(NPM is owned by GitHub, and GitHub is owned by Microsoft)

time4tea•10mo ago
Scunthorpe problem