Highview Apps

Fork your dependencies, trim them to only your use case, never update unless it breaks for your users. I’ve been vocal about this for 10+ years. I’ve always said that updating is way riskier than latent bugs (which can be tracked and CVEs monitored). If you are updating a dependency, it’s on you to analyze every single commit in the full transitive set of dependencies. If you dont see anything compelling, dont update! I remember at HashiCorp once in awhile an engineer would try to update a dep or replace a DIY lib with an external one and id always ask “show me the commit we need.” Dont update for the sake of it. Feeling pretty swell about this mentality with all the supply chain attacks happening.

We avoid doing simple things that work because they don't make us look smart. Smart people feel stupid doing simple things, so we invent complicated alternatives that accomplish less but feel more intellectually satisfying. Meanwhile, the people who dominate their fields are doing embarrassingly basic things, but they do them better than everyone else -- Shane Parrish

Chrome extensions are so incredibly unsafe Malware criminals find popular ones, pay the owners of the extension lots of money, they add malware to the code and millions of people get infected Then they take your cookies, localStorage, anything they can access Which is why in locked down advanced security devices you can't even install Chrome extensions I mostly run uBlock Origin, but have some others that I'll just vibecode now to stay safe

New supply chain attack this time for npm axios, the most popular HTTP client library with 300M weekly downloads. Scanning my system I found a use imported from googleworkspace/cli from a few days ago when I was experimenting with gmail/gcal cli. The installed version (luckily) resolved to an unaffected 1.13.5, but the project dependency is not pinned, meaning that if I did this earlier today the code would have resolved to latest and I'd be pwned. It's possible to personally defend against these to some extent with local settings e.g. release-age constraints, or containers or etc, but I think ultimately the defaults of package management projects (pip, npm etc) have to change so that a single infection (usually luckily fairly temporary in nature due to security scanning) does not spread through users at random and at scale via unpinned dependencies. More comprehensive article: https://t.co/EJAZbqAPIQ

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

A bespoke software revolution? I don't buy it. It'll exist. It already exists. Small consultants and big consulting firms have made custom software for years. It almost always sucks. It’s bloated, confusing, and because the client pays, it’s built wrong in all the ways. Who’s excited about bespoke software? Software makers! Of course they're excited about building bespoke software — that's what they do. X is full of them. Your feed is full of people who love making software talking about making software. Of course they’re excited about the revolution. Echo, echo, echo... Most people don’t like computers. Nobody in tech wants to say that out loud. People tolerate computers. They use them because they have to. Given the choice, most would rather not think about them at all. So when someone suggests that AI means everyone will build their own custom tools, ask who "everyone" is. The three-person accounting firm drowning in client paperwork? They want the paperwork gone, not a new system to maintain. The regional logistics company with 40 trucks? They want the routes optimized, not Joe spouting off about this new system he’s been messing around with. The law firm billing 70-hour weeks? They want leverage on their time, not a software project to design. They don’t hate technology. But building and maintaining their own critical systems isn’t their wheelhouse, regardless of how much faster and easier it’s become. It's another job on top of the job. Will these people use AI? Absolutely, for all sorts of things. Will some outliers go deep and build real custom systems? Sure, but they're almost always people who already had some pull toward software. The curiosity was already there. They were dabblers before. Giving everyone access to software building tools doesn't mean everyone becomes a builder. A powerful excavator doesn't turn a homeowner into a contractor. Most people just want the hole dug by someone else. They don’t want the responsibility either.