thesamesam

FAQ on the xz-utils backdoor (CVE-2024-3094)

This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.

Background

On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that

fabiospampinato

# 20x faster replacement for "npm run"
# - It supports scripts executing a built-in shell function
# - It supports scripts executing a binary found in PATH
# - It supports scripts executing a binary found in node_modules
# - It supports passing arguments and options to scripts
# - It supports reading scripts either via ripgrep (fast) or via jq (slower, but safer)
# - It adds ./node_modules/.bin to the $PATH
# - It handles gracefully when a script has not been found
# - It handles gracefully when "&", "&&", "|", "||", or ENV variables are used, falling back to "npm run"

veekaybee

ChatGPT Resources

Context

ChatGPT appeared like an explosion on all my social media timelines in early December 2022. While I keep up with machine learning as an industry, I wasn't focused so much on this particular corner, and all the screenshots seemed like they came out of nowhere. What was this model? How did the chat prompting work? What was the context of OpenAI doing this work and collecting my prompts for training data?

I decided to do a quick investigation. Here's all the information I've found so far. I'm aggregating and synthesizing it as I go, so it's currently changing pretty frequently.

Model Architecture

lrvick

Sig v2 Design (Draft!)

The goal of this document is to describe the desired user experience for the next generation of "sig" and it's predecessor "git-signatures"

• https://github.com/distrust-foundation/sig
• https://github.com/hashbang/git-signatures

These were useful prototypes but significant improvement is needed before widespread use.

Challenges

sindresorhus

Pure ESM package

The package that linked you here is now pure ESM. It cannot be require()'d from CommonJS.

This means you have the following choices:

1. Use ESM yourself. (preferred)
   Use import foo from 'foo' instead of const foo = require('foo') to import the package. You also need to put "type": "module" in your package.json and more. Follow the below guide.
2. If the package is used in an async context, you could use await import(…) from CommonJS instead of require(…).
3. Stay on the existing version of the package until you can move to ESM.

br3ndonland

Getting the Gist of GitHub Actions

Tutorial and tips for GitHub Actions workflows

Table of Contents

• Introduction
• Workflows and actions

MichaelCurrin

Get Pull Requests using GH's GraphQL API

How to get Pull Requests data using Github in the browser, or using the API to allow for automating reporting or building in values into a website.

Resources

• GitHub GQL API: https://developer.github.com/v4/
• Explorer: https://developer.github.com/v4/explorer/
• Github community topics - these were used to understand the syntax needed.

Kida007

import React from "react";
import {
  View,
  SafeAreaView,
  Text,
  Dimensions,
  StyleSheet,
  TouchableWithoutFeedback
} from "react-native";
import Svg, {

alanshaw

Streaming iterables

Your friends from pull stream, but in terms of async iterators.

source it

A "source" is something that can be consumed. It is an iterable object.

const ints = {

outofambit

ffmpeg -i screen.mov -pix_fmt rgb8 -r 8 -vf scale=-1:640 my-gif.gif