I don't think pypi or npm allow replacing existing packages?

They absolutely do. In this case litellm 1.82.8 had been out for at least a week (can’t recall the exact date offhand). The compromised version was a replacement.

It actually wasn't. That was one of the reasons why I looked into what was changed. Even 1.82.6 is only at an RC release on github since just before the incident.

So the fact that 1.82.7 and then 1.82.8 were released within an hour of each other was highly suspicious.

Ah, my mistake! Thanks for the correction.

But I believe you can replace versions on both, nonetheless. It’s a multi step process, unpublish then publish again. But the net effect is the same.

PyPI enforces immutable releases.

https://pypi.org/help/#file-name-reuse

> PyPI does not allow for a filename to be reused, even once a project has been deleted and recreated...

> This ensures that a given distribution for a given release for a given project will always resolve to the same file, and cannot be surreptitiously changed one day by the projects maintainer or a malicious party (it can only be removed).

If you lock your dependencies, it should fail if the hash doesn't match.

1.82.7 and 1.82.8 were only up for about 3 hours before they were quarantined on PyPI.

Are you saying that VSCode runs tsserver in its own NodeJS process? Or are you saying that VSCode uses the NodeJS it ships to run tsserver in a different process?

Just want to say that as an AI engineer, you and the Latent Space folks are doing work that is extremely useful to me. Without y'all, I'd be forced to doom scroll on X to catch up on the latest developments.

I wanted to explicitly highlight the utility of what you do because of surrounding comments that suggest/imply otherwise.

Thank you Simon!

Super interesting! Was this C# or something? is there a write-up/mini-blogpost about this somewhere?

How is enshitification (the gradual degredation of service and products for commercial gain) even related to what's being discussed (the gradual obsoletion of a certain set of skills of an SWE)?

I doubt that Meta (the company that sponsors the work on pyrefly) is looking forward to selling a product based on Python typing (assuming that's what's "what's being glazed in the article").

Koka, Roc-lang come to mind.

Fwiw, Chris has mentioned both of those as lessons he took from Swift that he'd like to avoid for Mojo.

Yeah the rate of progress in AI definitely makes it seem like that from the outside for me too.

But having never written cuda, I have to rely on authority to some extent for this question. And it seems to me like few are in a better position to opine on whether there's a better story to be had for the software-hardware boundary in ML than the person who wrote MLIR, Swift-for-Tensorflow (alongside with making that work on TPUs and GPUs), ran ML at Tesla for some time, was VP at SiFive, ... etc.

Chris's claim (at least with regards to Triton) is that it avails 80% of the performance, and they're aiming for closer to 100%.