Well said. In creative spaces they talk about “Dirty” vs “Clean”. Dirty they say lets you move fast. Clean is slow.

Happen to be a startup that isn’t mission critical to someone’s health and well being? Great, now you can use AI and be as dirty as you would like.

Are you working with dangerous chemicals that are ingested by others, or systems that control hunks of metal flying through the sky with hundreds on board? Maybe we should stay clean in those environments until we make AI itself clean.

Curious, why do you say that as if the "I'm Feeling Lucky" button isn't still on the homepage in 2026?

I couldn't even tell you when I used the Google search page. It's been years at least. I wouldn't be surprised if many other people also don't go there to search. I assume most search straight in the url bar.

Home pages are still a thing are are often set to google

Because it’s not there on mobile

Because it is useless now.

Same here, I now self host Forgejo and Tangled Knot + Spindle.

Only use GitHub for employers at the moment, but don’t intend to put new code there going forward.

I’m actively working on a free and open source alternative Frontend for Forgejo that I self host called Joui

I’m in the process of developing an alternative Frontend for Forgejo that’s incredibly fast, and works perfectly well on Safari and Firefox.

Here is a screencap of the wip mobile UI on old safari: https://files.catbox.moe/bo7pxn.jpeg

I’ve always felt this automation shouldn’t exist at all, but should rather be selectively controlled via a hook. The hooks yarn offers out of the box for example can be used to run any code you need to after install. Putting the project owner in control instead of the dependency.

In case others are unaware, you just have to set https://yarnpkg.com/configuration/yarnrc#npmMinimalAgeGate to the value you want. It defaults to 1 day.

It’s on by default in yarn 4 too now, but pnpm was the first to market that default minimum gate.

https://github.com/yarnpkg/berry/pull/7135

If this were a universal default, would the strategy defeat itself?

Even if everyone used it, the security scanners would still have time to do their static analysis of new packages. Basically, all the clients implementing a delay would create a de facto quarantine status for new packages so they can be examined before everyone starts installing them. (Why npm doesn't just implement that themselves, I do not know.)

Then shouldn’t the analyzers just be part of NPMs acceptance requirements?

I think if they did it, then attackers would be able to iterate their attack against their own project, and once it passes the filters they could deploy for real.

I guess it could work better if it was enabled for only actual attack vectors projects.

That’s my point. For whatever reason, npm isn’t doing it. All npm users adding a minimum package age is kind of like doing it as a collective, without npm’s help.

No.

Many places run analyzers on published code; many security users have reason to shorten the period. The default period becomes the period where white hats have a chance to detect it and stop it passing the threshold.

I tried it but see a lot of false positives.

One funny thing I see it doing is deleting seemingly random comments lines, for example if a file has a comment that spans multiple lines but doesn’t use a multi line comment syntax. It just chooses one at random transforming the once useful comment into slop.

Thanks for the feedback, we’ll check that out

The problem is that we have an ever growing and large number of constraints, and not following even a single one means the result is sloppy.

I don’t see them fixing this any time soon, and thus human in the loop is a requirement to use these tools effectively. That is unless you love your slot machine dopamine rush enough to ignore quality gates and respect for your peers time.