Fork me on GitHub

what really grinds my gears - people, at large, seem to be amazed about books that teach tutoring-leading-coaching based on industrial age standards (factories that ship identical components for years and optimize the process of building and selling those). and software development feels nothing alike, we don't build the same application every day for 50 times, we have discovered automation years ago. and reading the books, checking their examples about horribly dysfunctional companies. brrrrr!


this is like learning to scuba dive by reading books on how to drive cars.


and on a side note i believe that future is about improving quality, as with our limited resources on the planet we have maxed out the quanitity part a while ago. so learning how to do more stuff isn't what we should be focusing on.


maybe I'm thinking of something different, but I'd say that the current obsession in software is 'speed' (vs. quantity): go to market asap, get this feature out of the door now, close the sprint, etc; all at the cost of quality

👍 4

that sounds like an issue of the maturity in the engineering team. "i wanna be a good boy" mentality, this burns teams through in a handful of years. avoid if you can 🙂. in my experience life is better in companies that know they have to maintain the result(s) for years or decades. then the quality part starts to pay off really fast. nobody wants to maintain a mess or refactor a horror factory provider.

👍 4

I'm not sure if I know what you mean, but improving quality can improve quantity, e.g. I read an article a while ago on a man who taught, indirectly, the entire farming world to improve food production on the same amount of land by noticeable percentages. Sometimes improving one improves the other, too.


Well that's more like improving efficiency, but yes on a similar track. In a real life situation, instead of making manual reports (heck) or making 3 low quality reports from a database - one clear high quality one is more useful. Instead of rushing a bleeding development with barely any tests having a piece of software that is simple to understand, covered with tests and without unnecessary cleverness hidden in.


Maybe some more people could let it know the want to use clj commands with Netlify. Used it before with leiningen, it's a great way to deploy open source projects for free.


in the past, i've received a number of security alerts regarding npm-related things for repositories on github -- it seems not too infrequent for them to be flat out wrong. i don't see an obvious way to provide feedback about this to github. it seems like one ought to be able to mark them as "no, that seems wrong", but i haven't yet found a way to do so. any thoughts?


Do you know what organization, software, etc. are creating these security alerts?


well, the advisory itself doesn't seem wrong -- the problem is that github appears to be claiming that it applies to certain repositories...which the advisory does not seem to apply to.


i'm being alerted by github afaict


I would not be surprised if, like a lint checker type tool, there could be false positives in the software (and/or human decisions) involved in generating these messages.


sure, that makes sense -- it just seems silly that there would be no way to provide feedback to "train" their system better 🙂


If there are no links in the messages to who/what generated them, that seems sloppy to me. If there are, try to trace it back and look for problem-reporting places.


The link you are looking for might not be in the message itself, but only reachable via 1 to 3 clicks from the message.


There is a Github user id right there 🙂


this just seems to be sending me to some general info afaict


sure, but this is like spam


There is also a generic "Contact Github" link at the bottom, which would probably be lumped together with lots of other kinds of questions/concerns.


False positives for a good-intentioned service can look like spam, agreed. I would not be surprised if the source of the messages has good intentions, regardless of how well or poorly they carry them out, but I don't know the source.


sorry, wasn't questioning the intentions here -- i am generally favorable about the idea of being notified of potential security issues. it just seemed so wrong in this case (and a number of cases in the past) that i start to doubt my conclusion.


Maybe everyone using npm in any way at all in a Github-published project got a link to that, given its widespread applicability?


i thought that could be the case, but there is some indication that the decision was based on a particular yarn.lock file -- when i look in the yarn.lock file, the npm version is clearly greater than the vulnerable version mentioned in the advisory


3 npm vulnerabilities found in yarn.lock 2 days ago


i haven't touched this repository in quite some time


so afaik, nothing has changed in it


New vulnerabilities can be discovered in unchanged software, whenever. I am not saying I know your code is subject to the reported vulnerability, just that you don't need to change it to be vulnerable.


Anyway, sorry, all I have is generic advice, not based on experience with these messages. If worst comes to worst, you can use your email filtering capabilities to redirect them all into a folder that doesn't hit your inbox.


which I guess doesn't help if they arrive to you also as Github issues 🙂


it's fine -- i used the word "spam" but not with the intention that i was bothered by receiving the notification, but rather that there didn't seem to be a good way to provide feedback, if that makes sense?


yes, i am familiar with that phenomena (vulns being discovered in unchanging software) 🙂 it's just that the numbers don't agree in this case


np, appreciate the joint-processing 🙂

Ike Mawira21:12:06

I have been getting this GitHub security alerts for a while now, recently, more frequently. They usually suggest a bump version and it works when i update to the suggested version. I found the dependabot bot very helpful, it upgrades and closes the issue.


it's good to hear it's helping some people at least 🙂

Ike Mawira22:12:06

I haven't tested it on cljs projects with node plugins, but it seems to be working well with pure NodeJs projects i guess.

Ike Mawira22:12:30

Did you try to update to the suggested version (Even if your version was greater than the mentioned version)? 😁


no -- i'm not really inclined to change a version for something just to match an advisory if what i had was working and supposedly not vulnerable.

Lennart Buit22:12:33

Do yarn audit and/or npm audit also claim no vulnerabilities?


yarn audit was the first thing i tried -- and it said 0 vulns.


I get those alerts too, on the Ruby-based source of several websites that are powered by (an old version of) Octopress.