More

rezonant · 2025-12-05T22:22:13 1764973333

Nice! Didn't know you could make a Datadog dashboard public like that!

rezonant · 2025-12-04T00:38:58 1764808738

For the first case, it doesn't work because Object.assign() does not copy the prototype or non-enumerable properties, see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe...

  > let config = {};
  > Object.assign(config, JSON.parse('{"__proto__": {"isAdmin": true}}'));
  console.log({}.isAdmin); // undefined

That being said, it _will_ happen if you use your own merge() function like the TC-39 proposal demonstrates, but its because you are using the [] syntax to implement it which can affect __proto__

Side note, JSON.parse() also doesn't let you set the actual prototype:

  > JSON.parse('{"__proto__": {"isAdmin": true}}')
  { ['__proto__']: { isAdmin: true } }
  > JSON.parse('{"__proto__": {"isAdmin": true}}').isAdmin
  undefined

A normal JS object can do it, but of course that isn't attacker controlled unless you are using `eval()`, in which case the battle is lost anyway.

  > {"__proto__": {"isAdmin": true}}.isAdmin
  true

But even if JSON itself doesn't set the actual prototype, combining it with a user-written merge() function that copies __proto__ will indeed pollute.

  > Object.entries(JSON.parse('{"__proto__": {"isAdmin": true}}')).reduce((o, [k, v]) => o[k] = v, {}).isAdmin
  true

mmsc · 2025-12-04T02:52:32 1764816752

That was a typo, yeah. It should be

  console.log(config.isAdmin); // true!

rezonant · 2025-11-23T03:55:57 1763870157

That's very clever!

mrlowlevel · 2025-11-23T15:51:31 1763913091

We have this nifty util in our codebase:

```ts

/*

* A function that asserts that a value is never.

* Useful for exhaustiveness checks in switch statements.

*/

export function assertNever(x: never): never {

  // eslint-disable-next-line @typescript-eslint/restrict-template-expressions

  throw new Error(`Unexpected object: ${x}`)

}

```

rezonant · 2025-11-12T23:53:14 1762991594

Sigh, I'm so over homebrew's hipster rubyist brewery analogy

rezonant · 2025-11-12T21:14:49 1762982089

And then while checking your email you mindlessly click it and realize its the one you have "snoozed" by marking it unread, so you need to mark it unread again.

Rinse, repeat

BeetleB · 2025-11-12T21:33:30 1762983210

Yes - that was Hell.

Now I have a keystroke that will automatically create a TODO with a link to the message. I hit the keystroke and then archive so it no longer shows up in my inbox.

There are lots of poor productivity books/hacks, but the "Do not treat your inbox as a TODO list" has stood the test of time.

rezonant · 2025-11-12T21:12:04 1762981924

I was inbox-only since GMail was in beta, and received tons of email notifications and extraneous mail over that 20 year period that didn't get read.

My inbox was at about 100k _unread_ emails with about 280k total.

I am happy to say I am now at inbox-zero (ish).

hdjrudni · 2025-11-13T06:30:13 1763015413

Impressive. I've also been using gmail since beta. I'm only at 27,980 unread.

rezonant · 2025-11-08T00:41:41 1762562501

Stop making so much sense

rezonant · 2025-11-02T06:39:32 1762065572

I would be highly surprised if most of these bots are already running JavaScript, I'm confused by this unquestioned notion that they don't.

rezonant · 2025-11-02T06:36:24 1762065384

It only challenges user agents with Mozilla in their name by design, because user agents that do otherwise are already identifiable. If Anubis makes the bots change their user agents, it has done its job, as that traffic can now be addressed directly.

samlinnfer · 2025-11-02T10:05:13 1762077913

This has basically been Wikipedia's bot policy for a long long time. If you run a bot you should identify it via the UserAgent.

https://foundation.wikimedia.org/wiki/Policy:Wikimedia_Found...

1vuio0pswjnm7 · 2025-11-02T23:12:47 1762125167

It's only recently, within the last three months IIRC, that Wikipedia started requiring a UA header

I know because as a matter of practice I do not send one. Like I do with most www sites, I used Wikipedia for many years without ever sending a UA header. Never had a problem

I read the www text-only, no graphical browser, no Javascript

hshdhdhehd · 2025-11-02T06:45:36 1762065936

What if everyone requests from the bot has a different UA?

skylurk · 2025-11-02T08:11:16 1762071076

Success. The goal is to differentiate users and bots who are pretending to be users.

trenchpilgrim · 2025-11-02T09:13:31 1762074811

Then you can tell the bots apart from legitimate users through normal WAF rules, because browsers froze the UA a while back.

hsbauauvhabzb · 2025-11-02T08:39:52 1762072792

Can you explain what you mean by this? Why Mozilla specifically and not WebKit or similar?

gucci-on-fleek · 2025-11-02T09:01:56 1762074116

Due to weird historical reasons [0] [1], every modern browser's User-Agent starts with "Mozilla/5.0", even if they have nothing to do with Firefox.

[0]: https://en.wikipedia.org/wiki/User-Agent_header#Format_for_h...

[1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...

rezonant · 2025-10-31T17:56:00 1761933360

https://xcancel.com/id_aa_carmack/status/1983593511703474196

seattle_spring · 2025-10-31T17:57:38 1761933458

CMV: HN should just automatically replace x links with xcancel