It's so hard to triage this when no justification has been provided for the advisory. Was the GHSA released in response to npm pulling the package, or vice versa?

Many suggestions for workarounds, but if the GHSA is indeed accurate (all versions affected) then that seems unwise.

The package was pulled at: 2025-07-23T03:03:01.239Z

And the GHSA advisory: 2025-07-23T03:03:56Z

So the GHSA was released after the pull (by a minute).

Also if all the versions are affected this malware is in stylus since 2010. Honestly, it sounds improbable to me that a malware exists unnoticed in open source software for 15 years. However, even if improbable it's better to play safe and just override the installation of stylus ( especially if you are not using it ) with an empty package until more information is released

I agree that it seems very improbable. The only possible malicious scenario I can imagine is that the Github repo is clean, but npm creds have been compromised.

The beacon to be guarded at all times by Ralphie??

Exactly. More like changing the state of the system to reduce the observed behaviour while introducing other (unknown) behaviours

MS PowerApps, PowerAutomate and related offerings are truly awful products. I’ve given them the benefit of the doubt and been burned repeatedly.

Don’t tar all no/low code tools with the same brush though. I’ve had good success with Retool, for example.

No-code platforms are really DSLs wrapped in a nice UI. No-code platforms that are more open and developer focused typically let you actually dump out the app as a big bundle of config/DSL (e.g. a custom JSON format).

Maybe using LLMs to generate DSL code will produce better (and more maintainable) results than fully-fledged languages?

“In the land of the blind, the one-eyed man is King”

Agreed. Try inheriting a project that hasn’t been updated for a few years. Between the absolute dependency hell, and major breaking changes, there is huge temptation to just rewrite the whole thing.

Even a basic application requires layers upon layers of dependencies. Many of them are not as mature as people like to think either.

> And often it is so alluring that actual requirements and costs fly out the window. Need to scale... infintely? Just use Lambda Functions.

I don’t know why the author singles out Lambda. For many use cases their ongoing maintenance is close to zero.

I second the suggestion of Kevin Powell. As a backend dev who has always struggled with CSS, his videos really made CSS concepts click for me.

I also like the term Resume Driven Development (RDD) to describe this. Choose whichever technologies improve the developers resume the most.

The technology most suited to improve one's resume will be the one most in demand on the job market, and therefore also the most difficult skill to hire for...