| ▲ | consumer451 7 hours ago |
| I have to say, this whole saga is extremely interesting. Not just from a popcorn-enjoyer's point of view, but as a bit of a bell weather for 2026 software dev. |
|
| ▲ | giancarlostoro 5 hours ago | parent | next [-] |
| What's funnier to me is none of them seem to want to abandon npm which keeps getting exploited and hacked. NPM has been the source of just how many industry wide hacks? Three major ones, and a massive supply-chain industry wide campaign against npm. But yeah, bun is the real concern here. I think we need to smell the coffee and review npm and scrutinize it because it is getting dangerously out of hand. |
| |
| ▲ | pier25 an hour ago | parent | next [-] | | > none of them seem to want to abandon npm which keeps getting exploited and hacked Do you know of a better alternative for JS/TS that has all the popular packages? | | |
| ▲ | rglover 17 minutes ago | parent [-] | | Not perfect, but I use Verdaccio to run my own npm server and for third party deps, I clone, eval, and then if it's clean, push a safe copy to my own server (not for everything, just the most sensitive, hardcore stuff but eyeballing building a tool to semi-automate it due to recent chaos). You can even clone from remote URLs (point to a tarball from package.json instead of a version) so I've considered just using a private bucket. Tedious, but makes the "npm hacked again" posts mostly moot. |
| |
| ▲ | TiredOfLife 2 hours ago | parent | prev | next [-] | | Also Rubygems, Packagist, PyPi | | | |
| ▲ | tankenmate 4 hours ago | parent | prev [-] | | From my perspective it is a synthesis of "It is difficult to get a man to understand something, when his salary depends upon his not understanding it." and "but npm is the source of all the shiny shiny!". |
|
|
| ▲ | christophilus 7 hours ago | parent | prev | next [-] |
| Time will tell. I predict this is just the same 20 year pattern of: people on the internet are irate about $latest_thing, and everyone will move on to some other hot topic. |
| |
| ▲ | jakobnissen 6 hours ago | parent | next [-] | | But surely, whether or not the Internet mob moves on has no bearing on what actual lessons to learn from this saga. Will the vibe rewrite turn out to be a disaster or are LLMs already capable of writing human level code at this scale? That question is interesting no matter the level of attention this gets. | | |
| ▲ | stephbook 6 hours ago | parent [-] | | I'm believe projects that pin old versions or maintain their own shoddy fork will be left behind. Deprecation is fine. |
| |
| ▲ | consumer451 6 hours ago | parent | prev | next [-] | | For some reason, when thinking about this, the visual of all the scientists at CERN camping out for the results of the Higgs Boson experiment jumped into my mind. This is not as big an experiment as that. But, for software dev, it feels very significant. | |
| ▲ | 6 hours ago | parent | prev [-] | | [deleted] |
|
|
| ▲ | Cpoll 5 hours ago | parent | prev | next [-] |
| Trivia: The term is "bellwether," i.e. a wether (castrated sheep) wearing a bell, used to guide the flock. |
| |
| ▲ | consumer451 4 hours ago | parent [-] | | I kept checking the thread for responses and finally realized it, but too late to edit. I will probably wake up in a few days from a nightmare about this misspelling on HN. Happens all the time, no joke. I think that in my mind, it was always some sort of weather related bell, like you ring it, when the weather changes. Hopefully the sheep reference will help me remember. |
|
|
| ▲ | ibejoeb 6 hours ago | parent | prev | next [-] |
| People are going to be using a lot less software if the selection criteria include not being no agents. |
| |
| ▲ | skeeter2020 5 hours ago | parent | next [-] | | This is a very uncharitable interpretation of the twitter post: "It’s a combination of anthropic’s stance of not doing human reviews or any kind of rational roll out and stabilization." They mention nothing about agents being used, rather focus on humans in the review cycle and some sort of gated roll-out process. Why we would bin these practices in the name of a faster release cycle is an important question & debate. | | |
| ▲ | ibejoeb 5 hours ago | parent [-] | | I kind of agree, but it goes both ways. Has Jarred said that there was no review? I know that he stated that rust bun passes tests. Now, I don't know the amount or quantity of coverage, but as a thought experiment, let's assume they are good. What does that count for? | | |
| ▲ | riffraff an hour ago | parent | next [-] | | I think most people believe it unlikely that one million line of codes can be reviewed in one week, and the fact that tests pass does not imply good code. I have no idea whether the new or old code is/was good, just pointing out what seems like a plausible thought process for people who object to this rewrite. | |
| ▲ | 2 hours ago | parent | prev [-] | | [deleted] |
|
| |
| ▲ | dahs12 an hour ago | parent | prev | next [-] | | There was enough software that powered the Internet before 2023. We don't need laundered slop from criminals. | |
| ▲ | conartist6 5 hours ago | parent | prev [-] | | yes, because as we know from history without agents there is no internet or technology or anything | | |
| ▲ | ibejoeb 5 hours ago | parent [-] | | What do you mean? I'm saying that AI is going to develop software from here on. I don't think you can expect that a human is going to review every line of code. Not that it's good, but that's just how it is. It's not so different from manufacturing. A human is not reviewing every weld. I see a lot of sloppy beads, but in a lot of cases, it's good enough. | | |
| ▲ | tmp10423288442 2 hours ago | parent | next [-] | | > A human is not reviewing every weld. On civil engineering projects, I’m pretty sure a human reviews each weld. For mass-produced things, maybe not, although a company would not look good in a lawsuit if they had inadequate inspection procedures which allowed a fault causing injury or death to occur. | | |
| ▲ | youre-wrong3 an hour ago | parent [-] | | > On civil engineering projects, I’m pretty sure a human reviews each weld. Nope. It’s sampled. |
| |
| ▲ | conartist6 2 hours ago | parent | prev | next [-] | | I'm saying that's self-evidently ludicrous. Software is not like welding. Do you think Notch could have become rich and famous by welding? How about Bill Gates, famous as a really consistent welder? | |
| ▲ | bigstrat2003 an hour ago | parent | prev [-] | | There's no way that AI develops software from now on. It isn't remotely good enough for that, nor has it really gotten better in the past few years. We're going to see a push to use AI, then a move away from it once the dreadful quality of AI slop becomes too obvious to ignore. |
|
|
|
|
| ▲ | MuffinFlavored an hour ago | parent | prev | next [-] |
| I wonder how many "behind the curve/not super modern" corporations were using Bun or Deno to begin with. Part of me thinks it's a mild overreaction. It's not like people audit every line of kernel/driver/BIOS/EFI code before running Linux? As long as the tests pass and the performance doesn't regress and it's secure... why are people so mad that it was vibe coded? Is it because it was an irresponsible thing to do? Maybe? I don't know, I see both sides. |
| |
| ▲ | dahs12 an hour ago | parent [-] | | It isn't about users auditing Linux. The Bun developers don't audit "their own" (stolen) vibe code output. How would anyone know if it is secure? |
|
|
| ▲ | fallenscope 7 hours ago | parent | prev [-] |
| [dead] |
