Building my npx business card

https://ashley.dev/posts/turning-feedback-into-features/

8•edent•1y ago

Comments

steele•1y ago

Ooh, free real estate, let's colonize and gentrify package management

aabhay•1y ago

Lmao, gentrify cracked me up

neilv•1y ago

Do these npx business cards run arbitrary code on your computer?

cypherpunks01•1y ago

npx

Run a command from a local or remote npm package

Description

This command allows you to run an arbitrary command from an npm package (either one installed locally, or fetched remotely), in a similar context as running it via npm run.

neilv•1y ago

Yes, then is a "command from an npm package" arbitrary code?

And what is this "similar context as running it via npm run"?

Would it be better to answer the question directly?

joshka•1y ago

Yeah, this seems like a very smart but inherently flawed idea.

cypherpunks01•1y ago

Yes I agree! OSS package management ecosystems are a great idea, but allowing submissions without any review or vetting is just asking for supply chain attacks.

Xss3•1y ago

May as well just release an executable tbh.

theamk•1y ago

Reminds me of JAPH [0] - a tiny Perl program that was used in email/newsgroup signature to give it personal touch.

[0] https://www.perlmonks.org/?node_id=412464

watusername•1y ago

Terminal business cards are a nice idea, but RCE business cards are just asking for trouble. Instead of npx, what happened to good'ol curl? Something like

$ curl ashley.dev

Some decades ago, we had finger (https://en.wikipedia.org/wiki/Finger_%28protocol%29) which is designed for this very use case. Sadly it's no longer installed by default with most distros:

$ finger @ashley.dev

queezey•1y ago

This would be a great advertisement for security consulting.

"I was just able to run arbitrary code on your computer. Here is a sample of your recent browser history. Let me tell you help you mitigate your security vulnerabilities."

Azure Linux 4.0 is Microsoft's first general-purpose Linux

Meta enables ADB on deprecated Portal devices [video]

Anthropic's open-source framework for AI-powered vulnerability discovery

Open Code Review – An AI-powered code review CLI tool

Do transformers need three projections? Systematic study of QKV variants

WiFi Time

I'm skeptical about efforts to revolutionize schooling

Branchless Quicksort faster than std:sort and pdqsort with C and C++ API

SpaceX, Other Mega IPOs Denied Fast Index Entry by S&P

Delacroix's Entry of the Crusaders into Constantinople Restored

Reverse-Engineered Userspace Driver for Asus ZenVision Lid OLED on Linux"

Magenta RealTime 2: Open and Local Live Music Models

C++: The Documentary Released Today

Dear Microsoft, enough is enough

When AI Builds Itself: Our progress toward recursive self-improvement

The Causes of Long Covid

The Pentagon is running an AI propaganda mill targeting Latin America

Samurai City

Retro-Tech Parenting

KVarN: Native vLLM backend for KV-cache quantization by Huawei

Go Experiments Explained

Queen bees emerge from special wax chambers

VoidZero Is Joining Cloudflare

South Korean Forums Will Need to Scan Every Images with AI Censorship Tools

JLink JTAG Access on the Pinecil

Pass the Cherries: Review of Twilight of the Dons

Latent Agents: A Post-Training Procedure for Internalized Multi-Agent Debate

Show HN: Mercek – A Desktop IDE for AWS ECS

Castor: CERN Advanced STORage Manager

Making Debian or Fedora persistent live images