This used to happen with bench marks on phones, manufacturers would tweak android so benchmarks ran faster.

I guess that’s kinda how it is for any system that’s trained to do well on benchmarks, it does well but rubbish at everything else.

yes, they turned off all energy economy measures when benchmarking software activity was detected, which completely broke the point of the benchmarks because your phone is useless if it's very fast but the battery lasts one hour

the issue is not that devs don't know what they are its that they don't pin packages

if you run `npm i ramda` it will set this to "ramda": "^0.32.0" (as of comment)

that ^ means install any version that is a feature or patch.

so when a package is released with malware they bump version 0.32.1 and everyone just installs it on next npm i.

pinning your deps "ramda": "0.32.0" completely removes the risk assuming the version you listed is not infected.

the trade off is you don't get new features/patches without manually changing the version bump.

For context: ramada 0.32.0 isn't a concrete thing, in the sense that glibc 2.35 is. It really means "the latest ramada code because if you were to pin on this version it'll at some point stop working". glibc 2.35 never stops working.

> the trade off

I see that as a desirable feature. I don’t want new functionality suddenly popping into my codebase without one of my team intending it.

me too but a lot of people see it as massive overhead they don't want to deal with.

personally i pin all mine because if you don't a version could be deployed during a pipeline and this makes your local version not the same as the one in docker etc.

pinning versions is the only way to be sure that the version I am running is the same as everyone elses

Sure but if you are always unique for every website then you can’t be tracked overtime.

They meant a signal of uniqueness for your setup that could still assist with tracking, not being unique for every site.

last year i learn about the Collatz Conjecture which i found super interesting.

When I started the article I was really getting into it but then I had the stupid auto playing video that is stuck to the bottom of my phone screen following me as a scroll.

By Ai generated feeds do you mean a feed that is just full of AI posts or an AI generating a feed to one can scroll?

I use mongo at work and LLM helped me find index issues.

Feeding it the explain, query and current indexes it can quickly tell what it was doing and why it was slow.

I saved a bunch time as I didn’t have to read large amounts of json from explain to see what is going on.

this is what proton are doing with lumo[0]

https://lumo.proton.me

I’ve stopped getting LLM to code and use it to spitball ideas, solutions etc to the issue.

This lets you get a solution plan done, with all the files and then you get to write the code.

Where I do let it code is in tests.

I write a first “good” passing test then ask it to create all the others bad input etc. saves a bunch of time and it can copy and paste faster then I can.

I'm experimenting with how to code w/ LLMs. I used an AI assistant for about a month w/ a React app, prompting it to do this & that, and I learned almost nothing in that month about React itself. Then I prompted it to tell me what to do, but I did the typing, and I learned quite a bit in a short period of time.

One use case is downloading of binaries. For example mongo-memory-server [0] will download the mongoDB binary after you have installed it.

[0] https://www.npmjs.com/package/mongodb-memory-server

why would i want that though, compared to downloading that binary in the install download?

the npm version is decoupled from the binary version, when i want them locked together

I think it falls into a few buckets:

A) maintainers don’t know any better and connect things with string and gum until it most works and ship it

B) people who are smart, but naive and think it will be different this time

C) package manager creators who think they’re creating something that hasn’t been done before, don’t look at prior art or failures, and fall into all of the same holes literally every other package manager has fallen into and will continue to fall into because no one in this industry learns anything.

And now optional dependencies negate the need for this. Your package manager can just download platform-specific binaries automatically https://docs.npmjs.com/cli/v7/configuring-npm/package-json#o...