Building my npx business card

https://ashley.dev/posts/turning-feedback-into-features/

8•edent•7mo ago

Comments

steele•7mo ago

Ooh, free real estate, let's colonize and gentrify package management

aabhay•7mo ago

Lmao, gentrify cracked me up

neilv•7mo ago

Do these npx business cards run arbitrary code on your computer?

cypherpunks01•7mo ago

npx

Run a command from a local or remote npm package

Description

This command allows you to run an arbitrary command from an npm package (either one installed locally, or fetched remotely), in a similar context as running it via npm run.

neilv•6mo ago

Yes, then is a "command from an npm package" arbitrary code?

And what is this "similar context as running it via npm run"?

Would it be better to answer the question directly?

joshka•7mo ago

Yeah, this seems like a very smart but inherently flawed idea.

cypherpunks01•7mo ago

Yes I agree! OSS package management ecosystems are a great idea, but allowing submissions without any review or vetting is just asking for supply chain attacks.

Xss3•7mo ago

May as well just release an executable tbh.

theamk•7mo ago

Reminds me of JAPH [0] - a tiny Perl program that was used in email/newsgroup signature to give it personal touch.

[0] https://www.perlmonks.org/?node_id=412464

watusername•7mo ago

Terminal business cards are a nice idea, but RCE business cards are just asking for trouble. Instead of npx, what happened to good'ol curl? Something like

$ curl ashley.dev

Some decades ago, we had finger (https://en.wikipedia.org/wiki/Finger_%28protocol%29) which is designed for this very use case. Sadly it's no longer installed by default with most distros:

$ finger @ashley.dev

queezey•6mo ago

This would be a great advertisement for security consulting.

"I was just able to run arbitrary code on your computer. Here is a sample of your recent browser history. Let me tell you help you mitigate your security vulnerabilities."

Avoid UUIDv4 Primary Keys

Adafruit: Arduino’s Rules Are ‘Incompatible With Open Source’

Unscii

Arborium: Tree-sitter code highlighting with Native and WASM targets

Roomba maker goes bankrupt, Chinese owner emerges

Ask HN: What Are You Working On? (December 2025)

$5 whale listening hydrophone making workshop

The Whole App is a Blob

John Varley has died

If AI replaces workers, should it also pay taxes?

Common Rust Lifetime Misconceptions

The Problem of Teaching Physics in Latin America (1963)

Show HN: I wrote a book – Debugging TypeScript Applications (in beta)

Rob Reiner has died

Running on Empty: Copper

Hashcards: A plain-text spaced repetition system

JSDoc is TypeScript

CapROS: Capability-Based Reliable Operating System

A trip through the Graphics Pipeline (2011)

AI agents are starting to eat SaaS

The History of Xerox

Read Something Wonderful

The Java Ring: A Wearable Computer (1998)

Rio de Janeiro's talipot palm trees bloom for the first and only time

Elevated errors across many models

In the Beginning was the Command Line (1999)

An attempt to articulate Forth's practical strengths and eternal usefulness

Price of a bot army revealed across online platforms

Shai-Hulud compromised a dev machine and raided GitHub org access: a post-mortem

How well do you know C++ auto type deduction?