If you only use npm to manage client side deps then it removes the ability to compromise a devs machine or the CI server. Seems like nice attack vectors to just eliminate entirely.

If I just continually predict that it will rain tomorrow I'll be right eventually. That doesn't mean that I know anything about the weather.

> Maybe vibe bun is just as good or better than old bun, but how would we know at this point?

By considering objective facts like efficiency, performance, error rates, security vulns etc. like we always do?

There is no such thing as "we always do" now.

We care about those things you listed and also the fact that code was written by (or exhaustively reviewed by) a sentient consciousness. It's just that the second thing has historically been implied. That's the difference you are experiencing.

These objective facts aren't known right now for vibe bun.

Someone would have to do a bunch of work to establish these things.

Do you mind if I vibecode a fresh vehicle control software for your car?

Don’t worry, it’ll just be in a different language.

Will be interesting to see how this pans out. Some people will see minor issues as proof that AI is terrible, but honestly if this gets released and is relatively uneventful it just highlights how the art of building software had changed completely in the last few years.

I have tried not working and it's great.

Well that's confusing. The company Fin will now make the products Intercom and Fin rather than the company Intercom making the products Fin and Helpdesk. Hard to see how that's an improvement.

If you're touting widgets in your marketing its a sure sign that you have nothing useful to sell.

Come on, I use widgets all the time! There's the weather one, and the Google search one at the bottom that I can't remove!

So in summary:

- a writable shared global cache is made available to PRs opened from forks by randomers.

- that cache is reused in the deploy pipeline

- deploys can be made with a single authentication factor, stored on the CI server

- the repository apparently does nothing to check for malicious deploys, delegating that to 3rd parties to do after the code is in the wild.

- by default the package manager runs random code when a package is updated

What a world we live in.

And the gotcha has been known about since 2014:

> This is the class of attack documented by Adnan Khan in 2024. It's not a TanStack-specific bug; it's a known GitHub Actions design issue that requires conscious mitigation.

While it seems the maintainers kinda went-out-of-their way to enable this - GitHub could easily have at least turned of cache-sharing between fork jobs and the main jobs...

I love connections but holy crap can people just not spot an edit? It's a cool shot but the bit he had to time is short and pretty simple.

But that's not what this article is? The author is clearly a long time AWS user and former evangelist who has soured on it as it has become increasingly bloated.