Jim Nielsen’s Blog

Jeremy imagines a scenario where you’re trying to understand how someone cut themselves with a blade. It’d be hard to know how they cut themselves just by looking at the wound.

But if you talk to the person, not only will you find out the reason, you’ll also understand their pain.

But what if, hear me out here, instead we manufactured tiny microchips with sensors and embedded them in all blades?

Then we program them such that if they break human flesh, we send data — time, location, puncture depth, current blade sharpness, etc. — back to our servers for processing with AI.

This data will help us understand — without bias, because humans can’t be trusted — how people cut themselves.

Thus our research scales much more dramatically than talking to individual humans, widening our impact on humanity whilst simultaneously improving our product (and bottom line)!

I am accepting venture funds for this research. You can send funds to this bitcoin address: 17HzyHWNrdS7GpMArshSBLpJpcvrre93P6.

Reply via: Email · Mastodon · Bluesky

I’ve done something few on the internet do. I’ve changed my mind.

A few posts on my blog have started to unfurl social share imagery.

You might be wondering, “Wait Jim I thought you hated those things?”

It’s not that I hate social share imagery. I just think…well, I’ve shared my thoughts before (even made a game) so I won’t get on my soapbox.

But I think these “previews” have their place and, when used as a preview — i.e. an opportunity to graphically depict a brief portion of the actual, underlying content — these function well in service of readers.

For example, I often write posts that have zero images in them. They’re pure text. I don’t burden myself with the obligation to generate a graphical preview of the ideas contained in those posts.

But, sometimes, I create posts that have lots of imagery in them, or even just a good meme-like photo and it feels like a shame to not surface that imagery in some way.

So, in service of that pursuit, I set out to resolve how I could do og:images in my posts.

It’s not as easy as “just stick it your front-matter” because my markdown files don’t use front-matter. And I didn’t want to “just add front-matter”. I have my own idiosyncratic way of writing markdown for my blog, which means I need my own idiosyncratic way of denoting “this post has an og:image and here’s the URL”.

After giving it some thought, I realized that all my images are expressed in markdown as HTML (this lets me easily add attributes like alt, width, and height) so if I wanted to mark one of my images as the “preview” image for a post, I could just add a special data attribute like so:

You guys, I made the funniest image to depict this:

<img data-og-image src="" width="" height="" alt="">

Isn’t that hilarious?

Then my markdown processor can extract that piece of meta information and surface it to each post template, essentially like this:

<html>
  <title>{post.title}</title>
  {post.ogimage &&
    <meta property="og:image" content={post.ogimage}>}
  <body>
    <h1>{post.title}</h1>
    {post.content}

I love this because it allows me to leverage existing mechanisms in both the authoring and development processes (data attributes in HTML that become metadata on the post object), without needing to introduce an entirely new method of expression (e.g. front-matter).

It also feels good because:

1. It’s good for me. It doesn’t require any additional work on my part. I don’t have to create additional images for my posts. I’m merely marking images I’ve already created — which were done in service of a post’s content — as “previews” for the post.
2. It’s good for users. Readers of my site get image previews that are actually, well, previews — e.g. a graphical representation that will contextually reappear in the post, (as opposed to an image template whose contents do nothing to provide an advanced graphical preview of what’s to follow in the post itself).

It’s technology in service of content, rather than content in service of technology.

Or at least that’s what I like to tell myself :)

Reply via: Email · Mastodon · Bluesky

I have a standing desk that goes up and down via a manual crank.

I’ve had it for probably ten years.

Every time I raise or lower that thing, it gets my blood pumping.

I often think: “I should upgrade to one of those standing desks that goes up and down with the push of a button.”

Then there’s the other voice in my head: “Really? Are you so lazy you can’t put your snacks down, get out of your comfy chair, in your air conditioned room, and raise or lower your desk using a little elbow grease? That desk is just fine.”

While writing this, I get out of my chair, star the timer, and raise my desk to standing position. 35 seconds.

That’s the cost: 35 seconds, and an elevated heart rate.

As I have many times over the last ten years, I recommit to keeping it — mostly as a reminder that it’s ok to do some things manually. Not everything in my life needs to be available to me at the push of a button.

Reply via: Email · Mastodon · Bluesky

I love a good look at modern practices around semantic versioning and dependency management (Rick Hickey’s talk “Spec-ulation” is the canonical one I think of).

Niki recently wrote a good ‘un at tonsky.me called “We shouldn’t have needed lockfiles”.

What struck me was this point about how package manifests allow version ranges like ^1.2.3 which essentially declare support for future versions of software that haven’t yet been written:

Instead of saying “libpupa 1.2.3 depends on liblupa 0.7.8”, [version ranges] are saying “libpupa 1.2.3 depends on whatever the latest liblupa version is at the time of the build.”

Notice that this is determined not at the time of publishing, but at the time of the build! If the author of libpupa has published 1.2.3 a year ago and I’m pulling it now, I might be using a liblupa version that didn’t even exist at the time of publishing!

The funny thing is, we use version ranges only to go freeze them with lock files:

version ranges end up not being used anyway. You lock your dependencies once in a lockfile and they stay there, unchanged

In other words: we avoid locking ourselves to specific versions in package.json by using version ranges, only to then go lock ourselves to specific versions in package-lock.json — lol!

I mean, that’s funny when you think about it.

But to go back to Niki’s earlier point: version ranges let us declare to ourselves that some code that exists today is compatible with some other future code that has yet to be written.

This idea allows us to create automated build systems that resolve to an artifact whose dependencies have never existed before in that given combination — let alone tested and executed together in that combination.

Now I get it, semantic versioning is an idea not a guarantee. But it’s also pretty wild when you think about it — when you encounter the reality of how semantic versioning plays out in the day-to-day world of building software.

I guess that’s a way of acknowledging out loud that we have normalized shipping production systems on top of the assumption that untested, unwritten combinations of software will behave well together — if not better, since patch updates fix bugs right?

And that’s not even getting into the security side of the equation. Future versions of packages have no guarantee to be as safe as previous ones, as we’ve seen with some of the npm supply chain attacks which rely on version ranges for their exploits. (Funny, isn’t it? Upgrading to the latest version of a package can get you into trouble. The solution? Upgrading to the latest version of a package.)

Anyhow, this all gets me thinking that version ranges and dependency management were the gateway drug to the non-determinism of LLMs.

Reply via: Email · Mastodon · Bluesky

There was a time when I could ask, “Did you see the latest NPM attack?” And your answer would be either “Yes” or “No”.

But now if I ask, “Did you see the latest NPM attack?” You’ll probably answer with a question of your own: “Which one?”

In this post, I’m talking about the Qix incident:

• Prolific maintainer Qix was phished.
• Qix is a co-maintainer on many packages with Sindre Sorhus, the most popular maintainer on NPM (by download count).
• Attackers pushed malicious code to packages that are indirectly depended by a huge portion of the ecosystem (hundreds of millions of downloads a week).

When I first heard about it, I thought “Oh boy, better not npm i on the old personal machine for a little while.”

But as details began to emerge, I realized the exploit wasn’t targeting my computer. It was targeting the computers of people downstream from me: end users.

The malicious code didn’t do anything when running npm install. Instead, it laid there dormant, waiting to be bundled up alongside a website’s otherwise normal code and served to unsuspecting end users.

Maybe we should rename “bundlers” to “trojan horses”, lol.

That’s all to say: you didn’t have to run npm install to be affected by this attack. You just had to visit a website whose code was sourced via npm install. (You needed a bitcoin wallet too, as that was the target of the exploit.)

It’s wild because browsers work really hard to make it safe to visit any webpage in the world — to do a GET to any URL. But attacks like this chip away at those efforts.

So while it’s easy to think NPM can be unsafe for your computer because running npm install allows running arbitrary code, that’s not the whole story. npm install can be unsafe for:

• Your computer (install time execution)
  • Lifecycle scripts (preinstall, install, postinstall) allow running arbitrary code which can read/write files locally, steal keys and tokens, install malware, and otherwise exfiltrate data.
• Your dev/CI computer(s) (build time execution)
  • Compilers, bundlers, transpilers, plugins, etc., can all execute arbitrary code and leak secrets, corrupt build artifacts, add hidden payloads, etc.
• Your application server (server runtime execution)
  • Any dependency runs top-level in production and exposes risk to data exfiltration, unsafe privilege escalation, remote command execution, etc.
• Your users’ computers (client runtime execution)
  • Bundled dependencies ship with your website, exposing your users to malicious code that runs in their browser and can exfiltrate data, insert hidden trackers/miners, etc.

Reply via: Email · Mastodon · Bluesky

Related posts linking here: (2025) Social Share Imagery via a Data Attribute

I was reading Chase McCoy’s article “Antibuildings” where he cites Wikipedia’s entry on the term “Antilibrary” which points to another entry about the Japanese concept of Tsundoku, all of which deal with this idea of things we do with intention but that never make it to fruition.

Antilibraries are the books we buy but never read.

Antibuildings the architect’s version of sketches and plans drafted but buildings never made.

It got me thinking about the stuff I’ve started with intention but never brought to fruition — my own anti-*’s.

To name a few:

• Antidomains: the domains I bought and had big plans for, but they never progressed beyond being parked at my registrar. (Zach Leatherman recently made a list kinda like this, if you haven’t seen it.)
• Antiwebsites: the sites I was gonna make, but never shipped.
• Antilayers: the Photoshop, Sketch, or Figma designs I painstakingly crafted to the level of “completeness”, but then never began building with code.
• Anticode: the changes I made that functioned to the level of being usable and shippable, but then I never could pull the trigger on ‘em.
• Antiposts: (also known as “drafts”, lol) all those blog posts I poured time and energy into researching, writing, and editing, but never could take all the way to “published”.
• Antitweets: all the Tweets/Toots/Skeets I meticulously crafted as witty comebacks or sarcastic quips, but then never posted (honestly, probably for the better).

And last, but certainly not least — in fact, probably grandest of them all:

• Antitabs: all the browser tabs of articles, videos, recipes, and other good things I collected and was going to read, watch, bake, etc. but never did.

Reply via: Email · Mastodon · Bluesky

Related posts linking here: (2025) Social Share Imagery via a Data Attribute

Richard MacManus just posted “Chrome Switches on AI: The Future of Browsing Begins Now” where he points out that what we think of today as “browsers” is undergoing a radical change. Here’s the lay of the land:

• Microsoft launched “Copilot Mode” on Edge and promotes it as an “AI-powered browser.”
• Mozilla is baking AI into Firefox
• Atlassian is into browsers now with their acquisition of The Browser Company and its AI browser Dia (my computer autocorrected that to “Die” and I reluctantly changed it back).
• AI-first companies like Perplexity are releasing their own AI browsers.
• OpenAI hired ex-Chrome engineers and the rumor is they are building a browser.

Safari is notably absent from that list.

This all leads Richard to ask:

One has to wonder if “browser” is even the right word for what products like Chrome and Edge are evolving into. We are moving further away from curiosity-driven exploration of the web — the modern browser is becoming an automaton, narrowing what we can discover and reducing the serendipity.

The Chrome folks don’t appear to be shying away from the fact that they’re keen on killing evolving this long-held definition of what a “browser” is. From their announcement:

This isn’t just about adding new features; it’s about fundamentally changing the nature of browsing

One of the examples they give is that of a student researching a topic for a paper with dozens of tabs:

Instead of spending hours jumping between sources and trying to connect the dots, your new AI browsing assistant — Gemini in Chrome — can do it for you.

Wait what? Jumping between sources and trying to connect dots is literally the work of research and learning. The paper is merely a proxy to evaluate the success of the work. Can you automate learning?

But I digress.

Look, I like browsers. No, I LOVE browsers.

But it does kinda feel like “browser” is undergoing a similar redefinition as “phone”.

“Phones” used to be these devices that allowed you to speak with other people who weren’t within earshot of you.

Now they do that and a million other things, like let you listen to music, watch videos, order pizza, transfer money, find love, rent a vacation home, be radicalized, purchase underwear, take photos, etc.

However, despite all those added features, we still call them “phones”.

Perhaps I need to start redefining what I mean when I say “browser”.

Reply via: Email · Mastodon · Bluesky

Related posts linking here: (2025) Social Share Imagery via a Data Attribute

The same reason you would bake a batch of cookies: because you enjoy it — the process itself, but also the result.

And perhaps, if you like, you share the result with others.

Who is out there asking, “Should I bake a batch of cookies? How well can that act be monetized? Should I do something else instead?”

Do it for the fun of the thing itself.

It doesn’t have to be anymore than that. It can be — Dave talks about that — but it doesn’t have to be.

Bake cookies because you like to.

Make websites because you like to.

Reply via: Email · Mastodon · Bluesky

Have you ever searched for “AI chat” in the Mac App Store?

I have. It’s like strolling through one of those counterfeit, replica markets where all the goods look legit at first glance. But then when you look closer, you realize something is off.

For the query “AI chat”, there are so many ChatGPT-like app icons the results are comical. Take a look at these:

The real app icon for the ChatGPT desktop app (from OpenAI) is in that collection above. Can you spot it?

Here they are again in a single image:

(It’s the one in the 4th row, 3rd column.)

And those are just black-and-white lookalikes. There are other apps riding the AI/OpenAI wave that look like the ChatGPT logo just in different colors.

The funny thing is: the official ChatGPT desktop app from OpenAI is not even in the Mac App Store. It’s only available from their website, so it won’t show up in the “AI chat” results.

There were lots of other “sort of looks like the official one but isn’t” app icons in my search results, like this Claude one, this Grok one, or this Gemini one.

Oh, and these apps’ names were fascinating to look at. They were basically every spacing and casing combination of “AI”, “Chat”, and “Bot” you can image. Just look at this sampling:

• AI Chat Bot : Ask Assistant
• AI Chatbot: Chat Ask Assistant
• AI Chatbot : Chat AI Assistant
• AI Chatbot : Ask Assistant AI
• AI Chatbot—Open & Ask Chat Bot
• AI ChatBot ASK Chat Assistant
• AI Chatbot Assistant & Ask AI
• Ai Chatbot :Ask Open Assistant
• AI Chatbot :Genius Question AI
• AI Chatbot-Ask Seek Assistant
• AI ChatBot - Ask Anything Bot
• AI Chatbot, Ask Chat Assistant
• AI Chat Bot - AI Bot Assistant
• AI Chatbot・AI Chat Assistant 5
• Al Chatbot - AI Assistant Chat
• AI Chatbot : Ask AI Assistant
• AI Chatbot : Ask AI Chat Bot
• AI Chatbot • Chat AI Assistant
• AI ChatBot- Ask Chat Assistant
• AI Chat Bot - Ask Assistant
• AI Chatbot: Ask GPT Assistant
• Chatbot AI : Ask Assistant
• Chatbot: Open Ask AI Chat Bot
• AI Chatbot Assistant: Ask Bot
• AI Chat - Chatbot Ask Anything
• AI Chat: Smart AI Assistant
• Chatbot: Ask AI Assistant Bot
• Chatbot AI Chat - AI Assistant
• ChatBot : AI Chat Assistant
• ChatBot&Chat Ask Ai Assistant
• Chatbot: Ask Open Assistant AI
• Chatbot: Ask Character AI Chat
• AI Chatbot Assistant • Ask AI
• Ask AI Chatbot: Chat Assistant
• AI Chat - Chatbot Assistant 4o
• AI Bot: Al ChatBot & Assistant
• Chatbot: Open Chat with AI
• Chatbot: Ask AI Chat Bot
• AI Chat Assistant – ChatNow
• Chatbot: Open Chat with AI Bot
• Chatbot AI - Chat Assistant
• Open Chat Ai Chatbot Assistant

I mean, look at this one: they named it “Al Chatbot” (that's the letter l as in “lima”, you can see it better in the URL slug where the letters are lowercase: al-chatbot).

Imagine going to store to grab some Nike gear and you find stuff like this (image courtesy of this post on Reddit):

What does that say about the store you’re visiting?

I always wanted a pair of Mike Jordans, just like I always wanted ChatGPP for my Mac.

Reply via: Email · Mastodon · Bluesky

Related posts linking here: (2025) Social Share Imagery via a Data Attribute

I really enjoyed watching Python: The Documentary (from CultRepo, formerly Honeypot, same makers as the TypeScript documentary).

Personally, I don’t write much Python and am not involved in the broader Python community. That said, I love how this documentary covers a lot of the human problems in tech and not just the technical history of Python as language. For example:

• How do you handle succession from a pivotal creator?
• How do you deal with poor representation?
• How do you fund and steer open projects?
• How do you build community?
• How do you handle the fallout of major version changes?

And honestly, all the stories around these topics as told from the perspective of Python feel like lessons to learn from.

Here are a few things that stood out to me.

Guido van Rossum, Creator of Python, Sounds Cool

The film interviews Drew Houston, Founder/CEO at Dropbox, because he hired Python’s creator Guido van Rossum for a stint.

This is what Drew had to say about his time working with Guido:

It’s hard for me to think of someone who has had more impact with lower ego [than Guido]

For tech, that’s saying something! Now that is a legacy if you ask me.

The Python Community Sounds Cool

Brett Cannon famously gave a talk at a Python conference where he said he “came for the language, but stayed for the community”. In the documentary they interview him and he adds:

The community is the true strength of Pyhon. It’s not just the language, it’s the people.

❤️

This flies in the face of the current era we’re in, where it’s the technology that matters. How it disrupts or displaces people is insignificant next to the fantastic capabilities it purports to wield.

But here’s this language surrounded by people who acknowledge that the community around the language is its true strength.

People are the true strength.

Let me call this out again, in case it’s not sinking in: Here’s a piece of technology where the people around it seem to acknowledge that the technology itself is only secondary to the people it was designed to serve.

How incongruous is that belief with so many other pieces of technology we’ve seen through the years?

What else do we have, if not each other? That’s something worth amplifying.

Mariatta, Python Core Developer, Sounds Cool

I absolutely loved the story of @mariatta@fosstodon.org. If you’re not gonna watch the documentary, at least watch the ~8 minutes of her story.

Watched it? Ok, here’s my quick summary:

• She loves to program, but everywhere she looks it’s men. At work. At conferences. On core teams.
• She hears about pyladies and wants to go to Pycon where she can meet them.
• She goes to Pycon and sees Guido van Rossum stand up and say he wants 2 core contributors to Python that are female.
• She thinks, “Oh that’s cool! I’m not good enough for that, but I bet they’ll find someone awesome.”
• The next year she goes to the conference and finds out they’re still looking for those 2 core contributors.
• She thinks “Why not me?” and fires off an email to Guido.

Here’s her recollection on composing that email:

I felt really scared. I didn’t feel like I deserved mentorship from Guido van Rossum. I really hesitated to send this email to him, but in the end I realized I want to try. This was a great opportunity for me. I hit the send button.

And later, her feelings on becoming the first female core contributor to Python:

When you don’t have role models you can relate to, you don’t believe you can do it.

❤️ Mad respect. I love her story. As Jessica McKellar says in the film, Mariatta’s is an inspiring story and “a vision of what is possible in other communities”.

Python Is Refreshing

I’ve spent years in “webdev” circles — and there are some great ones — but this Python documentary was, to me, a tall, refreshing glass of humanity.

Go Python!

Reply via: Email · Mastodon · Bluesky