Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's not even funny:

  $ ll /nix/store/*-insect-5.9.0/lib/node_modules/insect/node_modules/clipboardy/fallbacks/*
  /nix/store/…-insect-5.9.0/lib/node_modules/insect/node_modules/clipboardy/fallbacks/linux:
  .r-xr-xr-x 129k root  1 Jan  1970 xsel

  /nix/store/…-insect-5.9.0/lib/node_modules/insect/node_modules/clipboardy/fallbacks/windows:
  .r-xr-xr-x 444k root  1 Jan  1970 clipboard_i686.exe
  .r-xr-xr-x 331k root  1 Jan  1970 clipboard_x86_64.exe
(clipboardy ships executables and none of them can be run on NixOS btw)


I don't know why, but clipboard libraries tend to be really poorly implemented, especially in scripting languages.

I just checked out clipboardy and all they do is dispatch binaries from the path and hope it's the right one (or if it's even there at all). I think I had a similar experience with Python and Lua scripts. There's an unfunny amount of poorly-written one-off clipboard scripts out there just waiting to be exploited.

I'm only glad that the go-to clipboard library in Rust (arboard) seems solid.


Are they reproducible? Shipping binaries in JS packages is dodgy AF - a Jia Tan attack waiting to happen.


The executables are vendored in the repo [0].

[0] https://github.com/sindresorhus/clipboardy/tree/main/fallbac...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: