What they don't need is hardcoding support for five JS package managers in their python files.
In the post the maintainer says that an older version of bun "results in the ejs lockfile being ignored".
The reason is that they never committed the necessary lockfile despite listing "support" for that bun version.
They have separate lockfiles for other package manager versions: bun.lock, deno.lock, package-lock.json, pnpm-lock.yaml.
This part of the comment is also interesting: "which is a significant security concern for users when considering all of the recent npm supply chain attacks".
If you would set up a proper build for the JS artifact instead of committing four lockfiles to your repository, users would not be as exposed to npm supply chain attacks.
I speculate that I could indeed "vibe code" a better JS build integration because what they have does not make sense at a first look.
It appears they mixed JS building into their python project, aiming to support multiple package managers which are executed from their python script.
This explains the otherwise non-sensical explanation about bun < v2 ignoring the lockfile: they use a separate lockfile for each package manager. They did not check in one for bun v1, which they claimed to support, consequently it is not using a lockfile.
That's not how JS packaging normally works. I would set up a separate folder for the JS project, and use one package manager to build the project, like anyone else does.
Publish the package to npm, or bundle the tarball with your python program.
I guess the permission model of the JS runtime could be another topic, but at least they would have their build fixed without worrying about Node dependency resolution and package managers in their Python code.
Those checked-in specs become the requirements for the system. So the next time you ask the AI to make a fix, it can use those specs as part of the solution and not break another requirement. Basically the code underneath keeps getting rewritten over and over, but that doesn't matter as long as it hits the required specs.
I often hear people talk online about burning data centers to avoid some capitalist dystopia.
It just seems incredibly pessimistic to me. Who wants civil unrest? The rich elite does not want this either.
We will pay people.
Capitalism is not set in stone when human labor is no longer essential for productivity and AI can handle planning that markets currently coordinate through capitalism.
Exactly! The rich don't want to see mass starvation any more than the rest of us. We only permit homelessness and food insecurity now because of scarcity and a "just deserts" mentality where we blame people for their lot in life. When AI is doing the majority of labor, there will be no "just deserts" mentality, and there will be massive abundance.
This is plainly delusional. There already is abundance, global crop lands produce enough calories to feed twice the world’s population[0]. Greed is the reason for inequality and “AI” is not solving that. It is pure wishful utopian thinking to believe that there will be some massive AI-initiated abundance.
Speaking specifically about food insecurity and homelessness in the US, it's not simply greed, it's "just deserts" ideology. It's a belief in the lack of merit of the poor to receive help.
Speaking globally, there are many more barriers to feeding everybody than just abundance, like the other guy said.
Before Codex with GPT 5.4 and 5.5 I was working on a single feature only, no parallel conversations, and a ton of permission prompts would make it impossible for the agent to even work for five minutes on its own.
You seem to be arguing that vibecoding photoshop wasn't possible up until 2 months ago, with GPT 5.4/5.5.
That's a very, very weird take on many, many levels. Could you elaborate a bit about where that view came from, how often you use AI, what's your career etc.?
I am working like 20 hours a week on my new iOS app with Codex.
People on here talk like it was some belief or suggest I am somehow profiting from "hyping" AI.
Is it so hard to believe that agentic coding now works? Engineers are taking it up left and right.
Edit with reply: I can't, because the app is still in the works. Also my HN account is again rate limited and I won't be able to post more comments.
Edit number two to the other comment:
It's not really that expensive. With Anthropic it would be $200, with Codex the $100 subscription is sufficient.
It is interesting phrasing when you say that the providers "are making me think" the use of their service would be better, rather than me reaching this conclusion myself after using their services extensively for my work.
And honestly, I think I've had it with HN. I can't even participate properly in the discussion, maybe because some moderator thought my comments and opinions unworthy again.
I recently had a coworker open my eyes to why vibe coding, or AI-assisted coding is so popular. He likened it to a slot machine, where pulling the slot's arm is like asking an LLM to code something. You get crap most of the time, but when it works, it's like getting a payout. That dopamine hit keeps them pulling, hoping for another hit, and they then believe it's a better way to develop software.
Oh that’s definitely it. Even Steve Yegge mad with vibecoded powers has said it feels a lot like gambling. I wouldn’t trust the judgment of gamblers talking about their ‘winnings’, so to speak.
Hey, rate limits are incredibly frustrating, but contributing to HN is worth it. Try writing a polite, brief email to hn@ycombinator.com with a link to your user profile. Tell them that you’ve re-read the HN guidelines (https://news.ycombinator.com/newsguidelines.html) and that you’re willing to follow them. Then ask if it would be possible for the rate limit to be removed.
My gut reaction looking over your account is that you mean well but get a little heated. For example https://news.ycombinator.com/item?id=48147587 responds to no one in particular and calls HN drivel. Don’t do that. Thoughts like that are normal, but expressing them is difficult to do in a substantive way. It’s often better to not say anything if you feel yourself getting upset. (There are plenty of exceptions to this, but you have to do it in a way where you’re writing for the audience here, not for yourself.)
I think if you really put your mind to it, you can write substantively and stay off the rate limit list. Good luck.
But I don't think I'm going to email the mods and beg them to remove me from some list they added me to without notifying me.
I don’t feel like apologizing for complaining about the drivel some write because they don't like LLMs.
It was not my most substantial or productive comment, but I feel it is fair enough and did not target anyone in particular.
Contributing to HN is not worth it.
I'm spending my time, compromising my privacy, and advising potential competitors on what works best in my workflow. It's often not appreciated, so I might as well stop commenting so much.
> People on here talk like it was some belief or suggest I am somehow profiting from "hyping" AI.
Not really, the "people on here" rather consider that Anthropic and co. are profiting from you by making you think it's better to give them money to develop your app rather than do it yourself or hire a developer. The hype is there to steer you towards AI.
20 hours a week must be quite expensive in tokens.
With GPT 5.4 or 5.5 I did not notice degradation in performance when it was working on a large 5k line file containing a WebView, JS scripts, as well as native UI.
I instructed it to split it up anyway, yet I wonder how often the concerns around the mess are imaginative rather than practical.
In the post the maintainer says that an older version of bun "results in the ejs lockfile being ignored".
The reason is that they never committed the necessary lockfile despite listing "support" for that bun version.
They have separate lockfiles for other package manager versions: bun.lock, deno.lock, package-lock.json, pnpm-lock.yaml.
This part of the comment is also interesting: "which is a significant security concern for users when considering all of the recent npm supply chain attacks".
If you would set up a proper build for the JS artifact instead of committing four lockfiles to your repository, users would not be as exposed to npm supply chain attacks.
reply