Especially true with the runes update. imo, it traded away the thing that made it unique and truly great in the market: the feeling that you’re just writing vanilla HTML, JS, and CSS.
It was a false feeling. 1) Vue already had runes, under a different name. 2) Svelte's old behavior was only possible with their dependency-tracking compilation step. i.e. not vanilla. 3) runes use proxies, which are vanilla JS, and don't require a build step at all, although svelte may still have them.
Honestly, I don't even really care that much which frontend library wins, and I've been mostly happy with React as a foundation to build off of. If the future is some Rust-based framework compiled to WASM, that's ultimately fine with me. Just as long as whatever it is is relatively performant and stable and doesn't add 1 megabyte of code to every pageload.
You skipped all the hard parts, all the struggling, and now you have a working product without a mental model and can't level up to doing harder things on your own. Struggling IS learning. You didn't try different paths, piece different info together, and then eventually create a mental model. You just used ChatGPT to skip to the end result.
It's like enrolling for a Calc 2, cheating on all the homework to get an A, and saying "did i learn anything? No, but it solved all of these annoying homework problems for me!" Now when you have to take the 1st exam you're screwed because you didn't learn anything.
Let's be honest, how likely is that going to happen?
"There's 102 people who die in a car accident everyday. Someone could have just been struck by lightning while driving and skewed the statistics so that number isn't entirely accurate"
Waymo operates a business that offers hundreds or thousands of rides every day under regulatory supervision, and we have public data about accidents (there have been a few.) My anecdotal observations aren’t a replacement for data, but there is data. For the Tesla I’ve had FSD on my personal car since it became available in beta and have way more than three rides. My observations are sufficient to tell me it’s not reliable enough to run unsupervised, at least as long as I’m liable or in the same city as an unsupervised one.
Don’t do this. Google will ban your account. My friends have done this before in video games and have gotten their accounts perma banned months / years later.
Even if you did review it, a motivated attacker is not going to have an exfiltrate_user_data(). The xz backdoor exploit was incredibly sophisticated, and one key of the design was sneaking a "." into a single line of a build test script.
A cursory audit of primary dependencies has almost zero chance of catching anything but a brazen exploit.
Yeah. Realistically I think the best course of action is just assume you’re already using a library that can exfiltrate data.
This requires allowlisting egress traffic and possibly even architecting things to prevent any one library from seeing too many things. This approach can be a big pain though and could be difficult to implement practically.
