Hacker Newsnew | past | comments | ask | show | jobs | submit | molsson's commentslogin

I maintain a package on npm with >1M weekly downloads. I also got the same phishing e-mail, although I didn't click it.. here are the e-mail headers in the phishing e-mail I got:

Return-Path: <[email protected]> X-Original-To: [email protected] Delivered-To: [email protected] Received: from mail-storage-03.fbg1.glesys.net (unknown [10.1.8.3]) by mail-storage-04.fbg1.glesys.net (Postfix) with ESMTPS id 596B855C0082 for <[email protected]>; Mon, 8 Sep 2025 06:47:25 +0200 (CEST) Received: from mail-halon-02.fbg1.glesys.net (37-152-59-100.static.glesys.net [37.152.59.100]) by mail-storage-03.fbg1.glesys.net (Postfix) with ESMTPS id 493F2209A568 for <[email protected]>; Mon, 8 Sep 2025 06:47:25 +0200 (CEST) X-SA-Rules: DATE_IN_PAST_03_06,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FROM_FMBLA_NEWDOM,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_NONE,SPF_PASS X-RPD-Score: 0 X-SA-Score: 1.1 X-Halon-ID: e9093e1f-8c6e-11f0-b535-1932b48ae8a8 Received: from smtp-83-4.mailtrap.live (smtp-83-4.mailtrap.live [45.158.83.4]) by mail-halon-02.fbg1.glesys.net (Halon) with ESMTPS id e9093e1f-8c6e-11f0-b535-1932b48ae8a8; Mon, 08 Sep 2025 06:47:23 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; x=1757637200; d=smtp.mailtrap.live; s=rwmt1; h=content-transfer-encoding:content-type:from:to:subject:date:mime-version: message-id:feedback-id:cfbl-address:from; bh=46LbKElKI+JjrZc6EccpLxY7G+BazRijag+UbPv0J3Y=; b=Dc1BbAc9maHeyNKed/X7iAPabcuvlgAUP6xm5te6kkvGIJlame8Ti+ErH8yhFuRy/xhvQTSj8ETtV f3AElmzHDWcU3HoD/oiagTH9JbacmElSvwtCylHLriVeYbgwhZVzTm4rY7hw/TVqNE5xIZqWWCMrVG wi+k9uY+FUIQAh7Ta2WiPk/A4TPh04h3PzA50zathvYcIsPC0iSf7BBE+IIjdLXzDzNZwRmjgv2ZHW GAx/FRCPFgg0PbVvhJw98vSHnKmjPO/mmcotKFG+MUWkCtTu28Mm46t7MI7z5PrdCXZDA7L1nVnIwE ffIf0zED32Z6tFSJFNmYgFZlD6g+DnQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; x=1757637200; d=npmjs.help; s=rwmt1; h=content-transfer-encoding:content-type:from:to:subject:date:mime-version: message-id:feedback-id:cfbl-address:from; bh=46LbKElKI+JjrZc6EccpLxY7G+BazRijag+UbPv0J3Y=; b=DyWvxSOjMf7WfCVtmch+zw63kZ/OOBjcWnh1kIYs/hozgemb9mBIQCMqAdb4vSZChoW5uReVH5+k5 Jaz7UodbPJksVkYWqJOVg6nyx5EaYMYdgcw1+BCct/Sf2ceFwWurhupa6y3FBTFWBYLhcsAXERlx2l IuxWlpZoMDEBqDxjs8yvx/rkBrcd/2SNTcI+ooKJkrBIGBKuELOd3A5C6jlup6JNA4bE7vzP3FUfKw y0357UMnn45zWHm9HvudO4269FRlNjpiJaW7XF1/ANVrnDlNWfUGNQ5yxLZqmQDTtxFI7HcOrF3bTQ O/nrmVOvN9ywMvk/cJU4qGHqD9lT32A== CFBL-Address: [email protected]; report=arf X-Report-Abuse-To: [email protected] Received: from npmjs.help by smtp.mailtrap.live with ESMTPSA 6aee9fff-8c4b-11f0-87bb-0e939677d2a1; Mon, Sep 08 2025 00:33:20 GMT Feedback-ID: ss:770486:transactional:mailtrap.io Message-ID: <[email protected]> X-Mt-Data: bAX0GlwcNW6Dl_Qnkf3OnU.GLCSjw_4H01v67cuDIh2Jkf52mzsVFT_ZEVEe0W6Lf3qzW2LP_TCy93I46MCsoT0pB9HozQkvCw22ORSCt3JBma1G3v9aDEypT1DLmyqlb6hYLF3H7tJCgcxTU5pbijyNaOFtoUMdiTA6jxaONeZbBj.SKUa5CLT5TMpeNHG6oGIiY_jqlU.nQkxGPY3v9E34.Nz4ga8p9Pd_BplftaE~--2CLrluJMY65S5xFl--IISg0olYJu6DVyVDEcJ.AQ~~ MIME-Version: 1.0 Date: Mon, 08 Sep 2025 00:33:20 +0000 Subject: Two-Factor Authentication Update Required To: "molsson" <[email protected]> From: "npm" <[email protected]> Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


That domain (npmjs[.]help) has been taken down. Looks like it was purchased and started hosting on September 5th, 2025.


I guess this is the 1yr sharpe plotted over time, ie the sharpe at date X considers the stddev within the previous 365 days etc?

Many brokers only show 1yr sharpe or perhaps 3yr sharpe (for example swedish nordnet has 1/3/5 year sharpe: https://www.nordnet.se/fonder/lista/jupiter-gold-silver-usd-... )... but very often stocks/funds go steadily upwards for several years in "good times" and then we have major drawdowns during turmoil like 2008 or 2020 etc. In these cases, a 1yr or 3yr sharpe can be very misleading.

Have you considered also plotting 3yr sharpe and 5yr sharpe over time? Perhaps the length of the sharpe ratio would be configurable in the calculator?


Right now it uses the total stddev of the portfolio, over the full history provided. It can be changed fairly easily to compute it over a moving window of 1/3/5 years.


process.stdout._handle.setBlocking(true)

...is a bit brutal but works. Draining the stream before exiting also kind of works but there are cases where drain will just permanently block.

async function drain(stream) { return new Promise((resolve) => stream.on('drain', resolve)) }


When you want to await a single instance of a Node EventEmitter, please use `stream.once('drain', (err) => ...)` so you don't leak your listener callback after the promise resolves.


Which cases will it permanently block?


The writable stream will only emit 'drain' if the buffer fills past the limit. In that case, a prior call to `writable.write(...)` would return `false` indicating you should wait for drain before calling write again. Even if your code can't access the return value for the last writable.write call, you can check `if (writable.writableNeedDrain) { ...` to decide to wait for drain.

This program will run forever, since we never write to stdout, stdout never "drains":

    setInterval(() => console.error("stderr: ", new Date().toISOString()), 5_000)
    process.stdout.once("drain", () => {
      console.error("stderr: stdout.once.drain, exit")
      process.exit(0)
    })


Hmm, why did you build it as a desktop app in 2022? Seems like a no brainer to have this in the cloud so that you can seamlessly process huge files and integrate with various third-party APIs. I've used https://www.gigasheet.com/ for this before (which is cloud-based). And there is also the open source visidata project.


Definitely not a no-brainer. Don't want my CSVs integrating with APIs (or in the cloud at all), and I'm confident the desktop version handles large files better than a cloud solution would, as well as being far more responsive, quick, compact than any web-based solution.


I have zero interest in using business data with some online service that nobody else at my company has vetted. I vastly prefer being able to try and use a desktop application where I can be sure sensitive data is where I have 100% control over it.


I'm absolutely positive that you can make a desktop app a lot more snappy and usable than any browser-based solution. Especially if the point is to edit files on your computer – no way I'd want to upload a 100MB CSV to cloud before even having a sneak peek, but a (good) desktop app would allow a quick sneak peek of even a 10GB CSV.


Not everyone wants their solution hosted in the cloud. I would much rather have this as a desktop app that I can own than yet another SaaS product that I have to rent...


It would be nice if the web somehow filtered out links that one had decided to not pay for.


HN Guidelines are links should not be submitted if there is not a freely available version, or at least the wording is "It's ok to post stories from sites with paywalls that have workarounds", which implies that.

It would be nice if OPs took more effort to post the non-paywalled alternative (in addition to the original) to avoid these discussions and complaints. Yes, I am aware complaining about paywalls is OT.

https://news.ycombinator.com/newsfaq.html


No it wouldn't.


Seems like a worthwhile Chrome extension. Or to replace all paywall links with the internet archive link?


We used a similar approach when we pushed to get -Werror enabled in a large C++ code base I worked on years ago.


It's a beauty. Why buy a finished product when you can quickly put something like this together ?


Dead birds? Clearly, the Earth's magnetic field must be reversing!!11

https://www.imdb.com/title/tt0298814/


I hate when you browse through 10-15 websites and for all of them you quickly click the "Accept" button in the bottom banner to get rid of the irritating cookie banners.

And then suddenly, on the 16th website they put a fucking "Buy our thing" button in a bottom bar that you quickly click on without even thinking twice.


There needs to be a way to punish deliberate subversion of expectation. The whole "haha gotcha" mentality is harmful to society in general. The problem is much wider than just dark UI patterns on the web.


It's an impossibility given how our society is structured. A hundred years ago, if Tim's General Store did something shady, there was both social (hey Tim, wtf we're buddies this town only has 50 people) and economic (I'm never going back there and I'm 10% of Tim's regular customers). In this circumstance, our system works very well. But because of increased communication and transportation, pretty much everywhere you can consume from is a multi-national corporation. If Walmart overcharges you for a shovel, you can get your money back, but otherwise don't have any meaningful say about your experience, and probably don't have a meaningful alternative. Same with the internet, there are millions of people hitting up Google the same way you are, even if you blacklist "spamshitblog.net"; most people won't. People like RMS realized this a long time ago, but they basically got shouted down, and I definitely don't think we're gonna stop the train of unchecked free markets anytime soon.

TLDR: The market always wins, just download an adblocker.


I agree completely. It's just a shame.


Oh yeah the other day I saw a website that was showing ads in the fsking GDPR popup (when I tried to "customize" the experience).

Great job guys


The name wren is already used by: https://projectwren.com/


The Wren language has been around a lot longer than the project you linked.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: