All right, everybody. I feel more

vindicated than ever. I feel like I

actually have the right answers here. I

feel like I can see around corners. I

was right. My hate of the JavaScript

ecosystem was not unfounded. Yet again,

we are having more and more security

issues. Now, this one just happens to

come with a new flavor. Today, it is yet

another worm. If you're not familiar

with how the worm works, effectively,

someone gets compromised somehow and

then packages get overridden and

released in which when you install it,

it executes a build script in which then

goes and installs on your system a bunch

of bad stuff, attempts to steal stuff,

or maybe it doesn't do anything and

waits until it's back on CICD. And then

when you go and publish, it goes and

takes your stuff and then keeps on doing

this like forward progressing, always

publishing new versions of all the

packages, constantly spreading

throughout the universe. Now, this

particular one is called mini Shai Hulud

because it didn't affect as many

packages as the full Shai Hulud, but

it's the exact same type of worm. It

ended up affecting a very high-profile

NPM package, the TanStack. 42 packages

from TanStack, that's a lot. It also

affected Minstrel AI, UiPath,

OpenSearch, Guardrails AI, Dgraph Labs,

and others. Effectively, how it worked

is that it hijacked an OIDC token from

the action runners and poisoned the

GitHub Actions cache. This allowed them

to publish malicious versions through

real CICD pipelines, which means that

anybody looking at the versions, it

would be signed off and be like, "Hey,

yo, this release, it's good. Don't

worry, this is from an authoritative

source. You don't have to worry." So,

this is effectively what happened yet

again. Now, I want to make like a rant

here, okay?

I'm feeling a bit filled with some hot

energy, and I just feel like it's it's

time. It's time for me to talk about

things. And yes, part of this is going

to be the classic, right? You know the

classic.

>> Hey everybody, AN OLD MAN'S TALKING.

GRANDPA'S YOUR NAME. Which is me telling

you stories about the past, telling you

how it used to be and you guys going,

"Aw, cute grandpa. Why don't you go back

to the nursing home?" Which by the way,

hurts a little bit when you do that, but

you know,

that's just that because you know, just

to give you a little bit of JavaScript

lifetime for you. I've been working on

JavaScript since before there was a NPM

and or there was a way to even build

your JavaScript. Typically, what you did

is that either you wrote it in one big

file, you had a bunch of source

includes, or you do the classic, which

is build your own build tool, make it

all into one gigantic mega file, and

then put it forward in lots of global

state, absolutely fantastic. Along with

your file, you'd always of course rely

on jQuery cuz jQuery is the best query,

okay, buddy? Even my very first

professional job, I actually had to

build my own bundler. I built it in

Java. I know,

people, I was at a C# house. I built it

in Java and it bundled Microsoft master

pages JavaScript, okay? Do you do you

realize the do you realize the I

seen? You've heard me mention G2I before

for hiring great engineers quickly, but

did you know that they have roles for

full stack, front end, back end, iOS,

Android, data science, AI engineers,

platform engineering, site reliability

engineers, product design, product

management, and even security with

security engineers and security

analysts. But what I did not realize is

that they can help you build your entire

team. We're talking about product

management, project manager, designers,

and engineers, the whole shebang-a-bang.

So, use my name when you reach out to

them and get $1,500 off your first

invoice.

Ah,

>> [sighs]

>> out of breath for that one. I wanted to

say all that because again, the whole

grandpa thing, we're going to get

through that, but more so, uh I wanted

to kind of paint this picture cuz I feel

like we just got to have a good yapping.

So, I'm not going to really break down

the technical details of how Shai Halud

mini version 3.0 actually happened. This

isn't about this. This is more of a

philosophical talk, okay? Maybe a little

bit more of a come-to-Jesus talk, a

spiritual talk, all right? Because this

is what I see when I use npm. I see some

pretty intense security, okay? The npm's

making sure nothing gets through, okay?

Doing the utmost hardest work possible

to ensure your safety, and definitely

not that there's probably corporations

right now that are being blackmailed and

having in their information stolen, but

hey, whatever. Now, there's things you

can obviously do. So, just kind of like

some PSAs, you can always use pnpm. You

can have minimum release age, meaning

you don't get the newest libraries. But,

of course, what's the problem with the

newest libraries? If you don't get the

newest libraries, you could be releasing

stuff that has a major vulnerability.

Let's just say Next.js also had a huge

problem this week. Or, it's the inverse.

You get the new libraries, you get the

new security vulnerabilities. It's a

real damned if you do, damned if you

don't. Also, this is very, very

important. Block installation scripts by

default. Super, duper, duper important,

by the way. If you're on Rust, and

you're probably like,

>> [laughter]

>> "I use Rust." Well, buddy, hey, buddy,

guess what? I hate to break it to you,

but Rust has build.rs, and if you

download a package or you install a

dependency,

you're right, you're not had. But, the

second you build your project with a

dependency, if it has a build.rs file

that's malicious, bam, you're had. So,

it's inert to install, absolutely

dangerous to build. So, pretty much the

exact same worm theoretically could

exist anywhere. I do like what Gergely

has to say about this entire like, "Hey,

here's all the pros and cons. Here's the

things that are good. Here's the things

that are bad." Self-hosting your package

registry is pretty interesting because

you can choose what you want and don't

want inside of your registry and how old

or new they have to be. Okay, you could

pin versions, but of course pinning

versions often leads to a bit of

problems. You still have to rely on the

fact that the thing you're pinning

doesn't rely on a version range that

could be malicious for you. There's a

lot of problems with it. And

unironically, not even a part of this

entire Shy Halud thing, just yesterday

Ruby also pulled 120 malicious packages

from RubyGems. This is not like some

JavaScript problem. This is a larger

problem. And by the way, the mini Shy

Halud also went off and poisoned the

PyPI package registry. So, it also is

jumping ecosystems. But nonetheless,

none of that really matters. The problem

is a bit more broad. If you've only ever

used like say the JavaScript language,

you kind of have a certain view of the

world. And this can even extend that if

you've only ever used JavaScript and say

Rust, you kind of have the same view of

the world, which is all right, I have my

base programming language and inside of

it there's some conveniences around say

strings and arrays and all that. But

anytime I actually want to do something,

I have to go and get a package. Oh, you

want a URL? Well, guess what, Buster? If

you're in Rust, you got to get the URL

crate. Oh, you want a JSON stringify and

parse? Oh my gosh, you need Serde and

Serde JSON. Right? You're going to need

multiple packages for that. You want

async? You're going to have to have

something special for Rust. If you want

HTTP, you probably are going to both

need something for Rust and you're going

to want something for the JavaScript

ecosystem such as Express, Hono, Happy,

whatever you're going to do, right?

Elysium Elysium nuts on your chin. Damn,

that's crazy. Okay, anyways, back to the

story. Either way, anytime you want to

do a thing, you effectively need to go

and get a bunch of third-party

dependencies. Now, these third-party

dependencies, they often have the exact

same thing. Hey, I'm going to build HTTP

whatever, well, I'm going to go and rely

on a URL package. I'm going to go rely

on this certain async request thing. I'm

going to go rely on this certain other

thing internally. And so, even when you

download a package, that package has

many sub packages it depends on. That's

why whenever you just start any modern

JavaScript repo or start any Rust

project that even touches the internet,

you end up building like a hundred plus

dependencies just to get off the ground.

Now, this is where the philosophical

kind of debate starts because I just

wanted to put that in your head because

I think a lot of people, they don't

really realize the world they work in.

This is just always been the world that

exists. And I'm not even saying that

you're a bad person, a bad engineer, or

any of that crap, right? This is just a

natural state of working on the web is

that you probably went from JavaScript,

maybe you dabbled in a little bit of

Rust, maybe you got a couple of

thigh-high socks, maybe you had some and

very interesting questions and and

conversations with your parents. It's

like that's just totally the standard

ecosystem experience that everybody has.

But, there's other things in the world.

I've been in the process of rewriting

the Mordoria game in a different

language cuz I really wanted to give

something a little bit more run for the

money. I wanted to use both Jai, JAI,

Blow Lang as some people call it on the

Twitters, and Odin. is

a C-like programming language for the

joy of programming. That's what it's

called. And a very kind of cool part

about Odin is that, hey, I want to draw

textures and do 2D graphics. Well, guess

what? Raylib is just included. Now,

Raylib is obviously a C library, blah

blah blah blah blah, it has to do with

graphics, but it's a part of the

language itself.

When I run Odin, they have a vendored

set of libraries, which means that I can

also just type in vendor, and I can do

stuff with, say, lib C, Lua, X11, curl,

WASM, WebGPU. And that's kind of like an

interesting experience because that's

not the experience you would have in

other ecosystems. This language in some

sense is a complete language. It is a

batteries included all the way. So, if

you need something, it's probably

already been implemented in the standard

library or it's been vendored in in the

case of raylib or Lua integration.

Whatever you need for your game, this is

a language not only built as a general

purpose programming language but

designed to be extremely helpful to

people doing graphics. And that's like

kind of a unique selling perspective of

this.

Is that you actually have something that

is meant for a job and it does it well.

It's kind of like JavaScript. JavaScript

was really meant for a job. It was meant

to work on the web and that's why a lot

of the, you know, initial API also has

document which has, you know, get go,

you know, query selector, query selector

all and has a bunch of ways to interact

with the DOM. But then it also became a

general purpose language and then that's

where things just kind of got confusing.

It never really kept on iterating and

becoming more useful for the web because

it never really knew what it was. And

that's just the thing with Go as well.

Just use Go. Yes, this is

another one of those highly vulgar

articles in which goes over the reasons

why you should just use Go. And one of

the big reasons down towards the bottom

is that dependencies don't ruin your

weekend. You can A, you could add them

fairly easy, they're pretty

one-dimensional or you can actually just

vendor them in, meaning that they're

actually copied into your project. And

now this is where I'm going to say some

things that are

maybe a little bit more unique. I'm

going to go off the person who actually

created Odin the programming language,

Ginger Bill, and he has an article

called package managers are evil. Now,

you've probably seen me reference this,

I believe, in the last two videos that I

did on Shy Hello World and just the

ecosystem of npm over the last 6 months

ago or whenever it was. I actually

referenced this right here, which is

package managers are evil. And one of

the reasons why is that it really makes

simple something you should take so much

more seriously. Have you ever thought

about that? Like how much code you bring

onto your system? This is the exact same

problem we're seeing right now with

skills as well. People are just dumping

all these skills for their AI to use and

some of them have a bunch of like hidden

messages and ways to exfiltrate data

from your computer. Just like how, you

know, Shai Hulud is out there

exfiltrating all of your information.

It's the exact same thing is that we're

just kind of inundating ourselves with

so much information just to get started

on something. We're not really thinking

through the problems. We're not using an

environment that's been tuned for the

task at hand. Instead, we're using an

environment that's not really tuned for

it and that's that's, you know,

RIP JavaScript for all of its decisions.

It never really figured out what it

should have been. And even though the

language is pretty fun to use, pretty

easy to use, you can get quite a bit

done. It is a major flaw that it never

actually understood its purpose. And so

one of the big problems we end up

running into is this idea of automation

of dependency hell. See, the thing about

dependencies is every time you add a

dependency, you're adding liability to

your program, whether you like it or

not. Interfaces change, which makes it

hard to upgrade. If there's a security

vulnerabilities, then you have to

upgrade. You may have to upgrade to new

major versions. There's all sorts of

problems that are associated with it.

It's just not the same thing and when

something's in a package that you

download and use via NPM, you don't

really feel like you can touch it. And

often people never even review the code

itself. In fact, I did a poll not too

long ago that showed it was like 80 plus

percent of people don't even look at the

code that they're downloading all the

time. And I would I would suspect it's

actually probably significantly higher

than 80%. The only reason why I have 80%

on this channel is because we probably

cover more gaming and system stuff at a

higher rate than say a web dev channel.

But I just kind of wanted to think about

this, which is what happened? Why did we

change off of this? Because when I was,

you know, when I was a young man, when I

got started programming, okay, buddy? I

used to go in and I used to choose very

carefully what libraries I wanted

included inside of my JavaScript. I

remember one that was called like

something along the lines of

touch tools. It wasn't better touch

tools, which was a Mac thing. I forget

exactly what it was. This is back in

2012, and I would go to GitHub, I would

clone down the stuff, and I would vendor

in the exact versions, and then I would

hand-make edits to the things we needed

for my company, because this was still

MIT licensed back in the day, or

whatever the very permissive license

was. But nonetheless, I actually had to

kind of keep up with it. And was this

bad? Was this a bad thing when Bower

came out and NPM came out and Grunt came

out? Did we switch over and start

pulling it in? Sure, but was it bad that

we had to take a lot of thought before

bringing in any dependency? Well, I'd

say one big difference back then is

anytime you had a dependency, it almost

was itself dependency-free, because the

mechanism of getting dependencies was,

well, not very well understood.

And NPM really hadn't taken a foothold,

so anything you got was extremely

one-dimensional, which I think just

ultimately created very different

software 15 years ago than it does

today. And should we move back to that

day? Well, I do think that we are

entering into a world where we're just

going to see more and more of these Shai

Huluds. And part of that is because I I

mean, personally, I think that this

group behind it, they have so much

tokens and access to systems, we can't

even fathom it. And so, every 6 months,

they're like, "Well, should we hack them

again, George?" And then George is, of

course, very happy about this. "All

right, George. Let us

send off the tokens the token scams

again." And then off they go and grab

everything. And I think this is just

going to happen for the next, I don't

even know how many years. We're just

going to be perpetually had for like

every few months because of just how

fast everything updates. When a single

package is updated, potentially tens of

thousands of downloads happen within

just a few minutes going to all these

different CICDs, which then infect more

packages, and it just keeps on

happening. Like I would not be surprised

if right now the group behind Shia

Labeouf does not have access to a lot of

the major software companies right now.

Honestly, I refuse to believe that they

don't because it's ridiculous with how

much tokens they've been able to take.

Anyhow, I know this was kind of a bit of

a rambly video, and I know it was like a

little bit more high energy, and there

really wasn't that many jokes in this

video. But I mean, I just wanted to say

all those things because

you know, there's part of me that

realizes, especially as I use Odin,

like, "Wow, this is really nice. I'm

probably going to be able to finish off

this game, which will end up probably

being something like 100,000 plus lines

of code with zero dependencies. I have a

language, a build tool, and I have every

last like thing I need to be successful

completely in one item." And I'm just

like, "Why isn't this the way for

everything else?" Like this

is good. This is what more experiences

should be. I shouldn't have to like get

an amalgamation of software just to be

able to do the basic things. Like this

is what I want. This is what I want to

see more because I I've been on both

sides now. I like this side. I like this

side a lot, and if I really had to bring

in something, I could vendor it in

myself and be like, "Okay, I need this

one thing. It does this one thing. My

program wants it to do this one thing.

Here we go." Like and I'm just going to

make that choice so rarely because of

kind of the expensive nature because

guess what guess what Odin Odin doesn't

really have a package manager. I don't

know if you know that. I can't imagine

why Odin doesn't have a package manager.

I can't imagine well, why does Ginger

Bill not want a package manager inside

of Odin? I don't know where I was going

with all this. I just felt like yapping.

You know, like have you ever had that

urge? I had the urge. I feel like I

understand why a dog wants to bark

because I I just feel the same thing

just deep inside of my bones.

Did you like this? You want to like send

send me a signal that you liked it.

Press like the like button or make like

a comment and tell me I'm completely

wrong and just being an old man yelling

at clouds or maybe I'm correct. Maybe

having a language in which actually does

just have everything included is the

better way to go. The name

is the primogen.