HN Reader

Getting forked by Microsoft (philiplaine.com)

1864 points by phillebaba 9d ago 997 comments

Widespread power outage in Spain and Portugal (bbc.com)

1522 points by lleims 2d ago 1147 comments

A $20k American-made electric pickup with no paint, no stereo, no screen (theverge.com)

1436 points by kwindla 5d ago 1286 comments

You wouldn't steal a font (fedi.rib.gay)

1397 points by todsacerdoti 7d ago 391 comments

How a 20 year old bug in GTA San Andreas surfaced in Windows 11 24H2 (cookieplmonster.github.io)

1365 points by yett 7d ago 297 comments

Careless People (pluralistic.net)

1062 points by Aldipower 6d ago 536 comments

DOGE worker’s code supports NLRB whistleblower (krebsonsecurity.com)

1012 points by todsacerdoti 7d ago 529 comments

FBI arrests judge accused of helping man evade immigration authorities (apnews.com)

1002 points by eterps 5d ago 938 comments

Watching o3 guess a photo's location is surreal, dystopian and entertaining (simonwillison.net)

975 points by simonw 4d ago 430 comments

Show HN: I built a hardware processor that runs Python (runpyxl.com)

969 points by hwpythonner 2d ago 263 comments

I use zip bombs to protect my server (idiallo.com)

953 points by foxfired 2d ago 417 comments

Someone at YouTube needs glasses (jayd.ml)

932 points by jaydenmilne 8h ago 531 comments

Show HN: I built an AI that turns GitHub codebases into easy tutorials (github.com)

919 points by zh2408 11d ago 172 comments

Wikipedia’s nonprofit status questioned by D.C. U.S. attorney (washingtonpost.com)

917 points by coloneltcb 5d ago 905 comments

Pope Francis has died (reuters.com)

914 points by phillipharris 9d ago 769 comments

Internet in a Box (internet-in-a-box.org)

882 points by homebrewer 3d ago 243 comments

AI Horseless Carriages (koomen.dev)

861 points by petekoomen 7d ago 476 comments

Qwen3: Think deeper, act faster (qwenlm.github.io)

843 points by synthwave 2d ago 382 comments

Whistleblower: DOGE Siphoned NLRB Case Data (krebsonsecurity.com)

816 points by whalesalad 8d ago 452 comments

I wrote to the address in the GPLv2 license notice (2022) (code.mendhak.com)

794 points by ekiauhce 6d ago 560 comments

An end to all this prostate trouble? (yarchive.net)

787 points by bondarchuk 4d ago 313 comments

LibreLingo – FOSS Alternative to Duolingo (librelingo.app)

767 points by hyperific 1d ago 351 comments

Firefox tab groups are here (blog.mozilla.org)

759 points by TangerineDream 1d ago 426 comments

ICE Deports 3 U.S. Citizen Children Held Incommunicado Prior to the Deportation (aclu.org)

735 points by mandmandam 4d ago 811 comments

Finland Bans Smartphones in Schools (yle.fi)

710 points by freetonik 14h ago 440 comments

Migrating away from Rust (deadmoney.gg)

707 points by rc00 2d ago 729 comments

Librarians are dangerous (bradmontague.substack.com)

698 points by mooreds 11d ago 645 comments

Raspberry Pi Lidar Scanner (github.com)

685 points by Venn1 11d ago 185 comments

Try Switching to Kagi (daringfireball.net)

683 points by Ch00k 1d ago 454 comments

Show HN: Dia, an open-weights TTS model for generating realistic dialogue (github.com)

650 points by toebee 9d ago 191 comments

Writing "/etc/hosts" breaks the Substack editor (scalewithlee.substack.com)

640 points by scalewithlee 5d ago 352 comments

Port of Los Angeles says shipping volume will plummet 35% next week (cnbc.com)

635 points by perihelions 10h ago 547 comments

Blog hosted on a Nintendo Wii (blog.infected.systems)

621 points by edent 9d ago 104 comments

Python’s new t-strings (davepeck.org)

618 points by tambourine_man 9d ago 464 comments

Only Teslas exempt from new auto tariffs thanks to 85% domestic content rule (fuelarc.com)

608 points by abduhl 1d ago 643 comments

Gemma 3 QAT Models: Bringing AI to Consumer GPUs (developers.googleblog.com)

602 points by emrah 10d ago 276 comments

Atuin Desktop: Runbooks That Run (blog.atuin.sh)

572 points by freetonik 8d ago 150 comments

Show HN: My self-written hobby OS is finally running on my vintage IBM ThinkPad (github.com)

569 points by joexbayer 4d ago 115 comments

Jepsen: Amazon RDS for PostgreSQL 17.4 (jepsen.io)

563 points by aphyr 1d ago 137 comments

Evertop: E-ink IBM XT clone with 100+ hours of battery life (github.com)

563 points by harryvederci 9d ago 190 comments

I created Perfect Wiki and reached $250k in annual revenue without investors (habr.com)

539 points by sochix 15h ago 307 comments

Mark Zuckerberg says social media is over (newyorker.com)

531 points by FinnLobsien 6d ago 920 comments

The Friendship Recession: The lost art of connecting (happiness.hks.harvard.edu)

528 points by 47thpresident 4d ago 442 comments

Chain of Recursive Thoughts: Make AI think harder by making it argue with itself (github.com)

521 points by miles 1d ago 233 comments

Cloth (cloudofoz.com)

513 points by memalign 4d ago 59 comments

The effect of deactivating Facebook and Instagram on users' emotional state (nber.org)

505 points by imakwana 9d ago 499 comments

How a single line of code could brick your iPhone (rambo.codes)

500 points by sashk 3d ago 118 comments

Why did Windows 7 log on slower for months if you had a solid color background? (devblogs.microsoft.com)

495 points by zdw 2d ago 292 comments

OpenAI releases image generation in the API (openai.com)

486 points by themanmaran 6d ago 295 comments

Sycophancy in GPT-4o (openai.com)

473 points by dsr12 20h ago 387 comments

Tell HN: Camelgate NPM Outage (Cloudflare)

122 bavarianbob 36 4/1/2025, 4:19:28 PM
EDIT: Back online?!

NPM discussion: https://github.com/npm/cli/issues/8203

NPM incident: https://status.npmjs.org/incidents/hdtkrsqp134s

Cloudflare messaging: https://www.cloudflarestatus.com/incidents/gshczn1wxh74

GitHub issue: https://github.com/sindresorhus/camelcase/issues/114

Anyone experiencing npm outage that's more than just the referenced camelcase package?

Comments (36)

tom_usher · 29d ago
Seems to be a change in Cloudflare's managed WAF ruleset - any site using that will have URLs containing 'camel' blocked due to the 'Apache Camel - Remote Code Execution - CVE:CVE-2025-29891' (a9ec9cf625ff42769298671d1bbcd247) rule.

That rule can be overridden if you're having this issue on your own site.

internetter · 29d ago
> any site using that will have URLs containing 'camel' blocked

What engineer at cloudflare thought this was a good resolution?

Raed667 · 29d ago
I doubt the system is that simple. No one wrote a rule saying `if url.contains("camel") then block()` it's probably an unintended side-effect
keithwhor · 29d ago
If this is a bet, I'll happily take the other side and give you 4:1 on it.
dgfitz · 29d ago
Me too.
ycombinatrix · 29d ago
Akamai has been doing precisely that for years & years...
benoau · 28d ago
I think you can include advertising/privacy block lists in that vein too, although that allows for the users to locally-correct any issues.
isbvhodnvemrwvn · 28d ago
Judging by previous outages it was probably a poorly tested overcomplicated regex which matched to much.
cbovis · 29d ago
Confirmed here: https://www.cloudflarestatus.com/incidents/gshczn1wxh74
oncallthrow · 29d ago
WAFs are so shit
ronsor · 29d ago
WAFs are literally "a pile of regexes can secure my insecure software"
mschuster91 · 29d ago
To be fair to WAFs, most are more than just a pile of regexes. Things like detecting bot traffic - be it spammers or AI scrapers - are valuable (ESPECIALLY the AI scraper detection, because unlike search engines these things have zero context recognition or respect for robots.txt and will just happily go on and ingest very heavy endpoints), and the large CDN/WAF providers can do it even better because they can spot shit like automated port scanners, Metasploit or similar skiddie tooling across all the services that use them.

Honestly what I'd _love_ to see is AWS, GCE, Azure, Fastly, Cloudflare and Akamai band together and share information about such bad actors, compile evidence lists and file abuse reports against their ISP - or in case the ISP is a "bulletproof hoster" or certain enemy states, initiate enforcement actors like governments to get these bad ISPs disconnected from the Internet.

randunel · 28d ago
Why would scrapes get blocked, is scrapping illegal?
eitland · 28d ago
I don't know if it is, but I also don't think we are required to let dumb bots repeatedly assault or web sites if we can find a technical way to get around it.
Xylakant · 28d ago
It's very often not, but it's still the website owners property and if they choose so, they can show misbehaving guests the door and kindly ask to remain on the other side (aka block them). Large scale scraping puts substantial burden on web properties. I was paged the other night because someone decided it would be a great idea to throw 200 000rq/s for a few minutes at some publicly available volunteer run service.
cluckindan · 28d ago
They do mitigate known vulnerabilities.
rcxdude · 27d ago
They may mitigate known proofs of concept of vulnerabilities, and require a small amount of creativity to work around. At the cost of randomly breaking things.
cluckindan · 27d ago
That creativity takes time. WAFs are the first line of defence, buying some time for fixing the actual vulnerabilities.
UltraSane · 28d ago
But are they less shit than the shitty software they filter traffic for?
Recursing · 29d ago
Any path with the word "camel" seem to trigger this: https://www.npmjs.com/search?q=camel | https://registry.npmjs.org/camel123 | https://registry.yarnpkg.com/camel456

Some discussion here https://github.com/npm/cli/issues/8203

Edit: this is resolved now https://status.npmjs.org/incidents/hdtkrsqp134s

pvg · 29d ago
This is not CF WAF's first rodeo https://news.ycombinator.com/item?id=20421538

Cementing its track record as a product that mostly doesn't do anything except for occasionally break the internet here and there to keep things fun and interesting.

lynnesbian · 28d ago
> a product that mostly doesn't do anything except for occasionally break the internet

I wouldn't say that. The postmortem you referred to links to another CloudFlare blog post - one about a pretty serious RCE vuln in Microsoft SharePoint that was blocked by their WAF: https://blog.cloudflare.com/stopping-cve-2019-0604/

pvg · 28d ago
I mean, it's hardly surprising CloudFlare will tell you this is a useful product. But it is to securing a web application what regex is to parsing HTML.
jiggawatts · 28d ago
Sadly I work with web developers that all assume they don’t need to bother too much with security “because we have a WAF”.
AdamJacobMuller · 29d ago
I'm not sure why "WAF has false positives" makes it useless, nor would I say this is anywhere near the scale of "breaking the internet" and I'm not even fan of the concept of WAFs in general.
pvg · 29d ago
The last one took out a lot more stuff than this one but the argument is the same - this product is a checkmark thing and when it's not fulfilling its checkmark purpose, it causes outages. Still an amusing bi-modality! I suppose it shares it with DNSSEC.
misiek08 · 29d ago
Basically CF default WAF settings saved more small and medium companies I can even count to. I’m not CF fan, but WAFs (with rate limiting) do help. Sad that one or two incidents for that complicated and big services make people post such comments, but cmon - it doesn’t have AI in it's name so sheeps have to cry, right?
calvinmorrison · 29d ago
we've used it to rescue some vintage appliances that are basically unsecurable.
nwalters512 · 29d ago
The npm folks have officially acknowledged an incident now: https://status.npmjs.org/incidents/hdtkrsqp134s
miyuru · 28d ago
Outsourcing WAF is a double-edged sword.

I would have thought a large company like GitHub or Microsoft can have their own WAF team for their apps.

(NPM is owned by GitHub, and GitHub is owned by Microsoft)

klysm · 29d ago
This is what you get when you buy security as an add-on product
troyvit · 28d ago
Some orgs can't afford not to.
mplanchard · 29d ago
Glad you posted something, thought I was going nuts
drusepth · 29d ago
Is this also why unpkg has been up and down all morning?
ycombinatrix · 29d ago
unpkg barely works even when there's no incident
time4tea · 27d ago
Scunthorpe problem