#development

Grab the vram from it and solder it to a normal ram stick, boom, profit

I ran ollama on a 5070ti (laptop version) and it was pretty fast for <10b param models, I wonder how 7 1070s would compare

ehhh that sounds a bit too sketchy even for me

I do want to use a sketchy peltier setup to cool a 1070 ti for funsies soon

Looking for some devs who want to collaborate on a Discord bot. ❤️

what kinda bot?

economy 🥹

Oooo~ Those are fun! Is there like a vibe your specifically going for?

I need some feedback on it. :))

dm me if you want

I'm down! I have a bot that needs feedback too if you're interested ❤️

If anyone loves fallout, I've made a fallout inspired bot, and I'm looking to get feedback, and maybe some suggestions on how to improve him 🙂

24b

using 2 gpus

What do you do with this rig?

https://tenor.com/KSjU.gif

Lol

🙏

Ok 120b param model ain’t gonna fly with 7 1070s

How much vram in each?

lets see

8gb (it does not add up)

56gb for a 120b param model is gonna probably have a tiny context window

I think you usually need like 100+gb vram for that large of a model to have a good context length

maybe, but the celeron doesnt seem to be a bottleneck suprisingly

You can probably get away with 1024 token context lol

If you do the 20b param model then you’d have enough vram for 128k context window

Barely, probably not good perf, but still

technically I could get 7 more gpus on this mobo

realistically I really dont wanna

it means data is a string, not a map

need more code to say where the issue is

print data's content

fairly sure that's a serialized json

still

I’ve been working on a personal project for several weeks. I’d like to know if it’s the kind of project that could interest the public.
It’s a small interactive game for a server. I took inspiration from Grow a Tree, but it’s a 2D driver simulator.

did bro really delete all his messages

yea, hate when ppl do that

such bad manners

Are you trying to run AI with 7 1070s?

maybe

guys if i would get a dollar for each time i see a frontend site sending signed requests to supabase or any other api i would be right

literally, they send bearers, api keys everything client-side.

i like the idea man!!

can the all time votes that are shown on the main page of bot go down?

as mine is lwk goin down it was i rem 988 now 984 and im pretty sure there is 20+ votes been done ever since it was 980

The number of votes displayed on the main page is from the last month, not from the entire time. If you received fewer votes than on the first day, this number may decrease afaik

oh so like the votes expiring from last month decreases it and now the ongoing kinda increases it?

Kinda

It's like a time window, when it moves 1 day is deleted but new one is added

isee so the new one which is added is the new day

Yea. Votes used to reset to zero on the first day of the month but some time ago top.gg switched to this system

isee

its better then zero though yeah

does it also matter in ranking too?

Yea, bots are sorted by votes by default iirc

Yes, we use to have it so like NyNu said, all votes reset to 0 on the 1st of the month, which tbh was not the best system as users who voted near the end of the month, had less impact then users who voted near the start of the month. So this new system expires votes 28 days after creation.

damm

yeah its good tho lwk

gemini fast is actually useless as an everyday llm

its either thinking or above to get anything helpful

yep

someone needs to tell openai about lazy loading

becomes unusable after a certain amount of messages in a single chat

It has to be a raid bot or something

its honestly insane watching gemini using the browser by itself while i watch

im sitting here while gemini is scrolling through pages of documentation for a pdf library

it even used a virtual mouse wtf, a fake mouse pointer appeared on my screen and moved+clicked by itself

that’s one of the reasons i stopped using chatpgt. im the kind of user who loves to discuss detailed things of a topic, so tons of questions from me will be asked, and the site will lag, eventually hang when generating answer

i had the same issue, then i tried the android app and it loads fine there without lagging

yeah their mobile apps are much better, tho i always prefer have serious discussions on desktop

sameee!

@harsh nova ^

re there any developers here building AI-powered Discord bots or planning to add AI features soon?
I’m considering hosting a Discord AI Bot campaign/workshop. If you're interested in participating, let me know!
We’ll provide free AI API credits during the session for everyone who joins.

mmmmmmmmm data

yummy

@ivory siren

been a while since i've posted about statcord.xyz, been working on some neat tooltips, and decluttering the UI, and improving UI responsiveness

looks super gorgeous!! fantastic job on it!

dam https://developer.mozilla.org/en-US/docs/Web/API/CompressionStream

eyy i see my server on there

the higher up, the more 'active' they're considered, so 9th out of 86 servers, you should be happy with that haha

excellent

sub.previous.nodes[0, 2, -1] this is so cursed lmao, but I love it

woa what this code do

it turns like 20 lines of safety checks into a single aggressive check. i think its cursed bc its terrifying to look at lmao

It's like saying, "idc how long the array in the third row is, just give me the end of it"

or something along those lines

Hey guys i use my phone number as recovery method for my google account

Do you guys advise against that?

Cuz phone numbers are swappable right

wdym “swappable”?

recyclable?

Nah like sim swapping

Spoofing whatever its called

Where they take over your number

I feel like you've gotta have a really good reason for thinking that you'd get sim swapped

Provider got hacked, data records got leaked

But i don’t think they can do anything with only number

Use 2fa

Use phone number only for password recovery not 2fa bypass

Yup that’s what i have

Do yall consider authy to be safe? I use it but people talk hella smack about it

just use google auth

Do NOT use SMS for 2fa if given the option. The backing SS7 network is horribly insecure. Use an app

Understood this was the same suggestion, forgot to turn off ping. Just providing more info

tho tbh for anything sensitive, I prefer not to have them sent via SMS or phone call

From my knowledge very unlikely, Unless you lose connection to a cell tower and they hijack your sim

Yeah facts. I rather meants sms as account recovery

For ducks sake man

I need to manually transfer all of my authy accounts to google authenticator

More than 30 accs btw

💀

nothing wrong with authy but i'd use an open source app instead
https://getaegis.app/
its only for android tho

I got ios

Heard people talk smack about authy

That it isnt secure and you must use google authenticator instead etc

some more!

working on using up that sidebar real estate space, for some minor dashboard-wide config option
also decluttered, just a little more, by making the donationgoal component collapsable entirely.
someone here suggested monotone charts over linear charts, so i decided to give the user a choice.

So idk what to do

Go theough da hassle? 2fa seens to work fine with authy but idk google authenticator may be good too my autism cant handle this choice

Just using it for reset password

I just realized i can use my ledger for mfa

Ayoo lets go

Will move to using that

its really not that deep just choose something reasonably trustworthy 😭

Is authy trustwhrohy

I saw they had data breaches

Cuzzzi am tweakint

Tweaking

why does my bot say 8 servers in top.gg when my bot is in 21 servers

You have to send the server count via top.gg api

how

https://docs.top.gg/docs/API/v0/bot#post-stats

thx

my information tab make the bot page to be loaded in an insane amount of retries and a lot of waiting before openeing page it resets if i dont do so the desrcption part

is there a way to be good at this on god

also uh how do i get the creator role

gemini pro aura -1

the only reason i dropped authy is because they got rid of their desktop version, and i need an authenticator i can use from any device and syncs accross them

in using Ente right now and its pretty damn good so far

Good shit

I heard about 2fas being good too

But i just want to move to a very known and valuable company right now

Chances they fuck it up are less

so hence why i use google auth

Completely local tho without an account

I find account based backups so dumb

Hey i just saw a lot of rejections of bots for MANAGE_CHANNEL perms shouldn't be used to lock a channel, and they're supposed to use MANAGE_ROLES.

why? isn't locking a channel supposed to set @everyone-role -> deny send messages?

And you are doing what, editing channel such as name, topic, position or are you changing permission for everyone on said channel?

Also just read the description of manage roles permission

Alright, this clears my doubt. thanks

hey guys for google authenticator you don't need an account right?

I just went with the no account option and started adding the codes

cuz i just want to keep all my shit locally with backup codes noted down

You don't need to

Otherwise wouldn't give you the option to do so

MANAGE_CHANNEL is also a much more dangerous permission too because if your bot gets hacked it can delete all channels and wipe the entire history

Just a quick question as I'm not the most familiar with dev guidelines- if I am providing users an opt-out for having their message data 'tracked' would it still fall within compliance to handle their messages purely from a processing standpoint, without any sort of data persistence?

depends on what your doing

you'll need to provide more context about what your actually doing with the messages

Moderation and community-management features, including spam detection, duplicate-message detection, mention/link/emoji/caps filtering, deleted-message and edited-message logging, message-based utility triggers, verification workflows, slowmode/activity handling, and levelling
Given deletion/edit logging, naturally the opt-out would lead to only using the in-memory message cache without any form of persistence.

Deleted/edited message logging is straight out, spam/duplicate/mention/link/caps filtering can all be done through automod so I doubt discord will grant message intent for that

Leveling doesn't need message content at all, I suppose message triggers mean automated replies which is valid but might be too weak for discord

Idk what slowmode/activity handling means, but I imagine it doesn't need message content either

Right, basically just listed any form of message handling ops my bot does. But yeah it would not need content in this case

I think only the custom replies would require content, but u don't need to store them

I don't recall ever seeing opt-outs for other moderation bots, so I was curious on how enforceable something like this is and to what extent since the phrasing seemed somewhat vague (unless they've just buried an opt-out clause in their terms of service and discord found that sufficient enough)

Ur required to give some way to opt out yeah, that'd be in privacy policy

Cause it does seem pretty counter-productive to have a moderation bot that requires content for specific things but then also mandated that users can opt out of their own volition and essentially make themselves unable to be moderated or monitored

Like, for most moderation features you don't need to store any data

But anyways I've figured out how I am gonna handle it and submitted my application to discord. Thanks for the tips

yeah no it really is just edits / deletions that need content

The only one I can think of is a warn system, but that can be attributed to the moderator instead of the user

As I said, that's straight out

Specifically disallowed by discord

That's why most bots removed that feature

Well in that instance I dont think its classified under msg content unless thats how the bot is setup to receive it, no? Otherwise it would be modal / cmd submission

have they? I still see the 'major' bots with deletion / edit logging

Dyno, zepp, etc

Unless it was a case where they essentially grandfathered their intent permissions through

Fairly sure you can find in the ToS somewhere, but basically since around june last year they appended that you're not allowed to log messages deleted or edited by the authors

There was an announcement abt it

I'll have to go digging then, I don't recall seeing any clauses about that but I could very well have just missed the announcement

Trying to find the time when they announced it

Yeah no, from what I can see its essentially "Disclose how you use any applicable data, ensure proper encryption at REST, honor requests for deletion from us or the user"

I didn't see anything about deletion/edit logging from that timeframe, so unless it was from longer ago? (But I am also still not seeing anything to this effect in the actual developer ToS either)

Well in any case my application is already put through so I suppose I'll find out one way or another if discord approves of how I handle everything. But I do appreciate your insight, so thank you

Can't find my msg bleh

Mention fail

Thanks for the help @Cola. (ლ(╹ε╹ლ))"

Hey, one vps needs to be sending data to another vps on an api endpoint. How would i protect the endpoint from unauthorized access on that port? I know that we can use ufw, but that’s spoofable

What else can we possibly use?

tls with an established private key?

Overlay networks with VPNs. Instead of exposing the api endpoint to the public internet at all you can use a lightweight mesh VPN like Tailscale or WireGuard.

private key would render all but stealing ur key directly ineffective

if u want to go an extra length setup a websocket + fake http rest endpoint to avoid scanners

like having wss://url.com/secret and https://url.com/secret, with the latter returning a 404 error

nobody ever scans for websockets

I'm going to do this now that you said this

cant you just use ip address whitelisting?

if one vps will only ever receive requests from the other vps, block all ip addresses except that vps' address

even better if you make it ipv6 only

This would be the simplest solution. But everybody has their own flavor of practices

Just make two discord bots, one for sending info and one for reading it and send it using the Discord server (just make sure no one else has access to it)

@elder aspen wavelink would probably be the better choice, pretty sure thats built on top of lavalink and handles the lavalink connection for you (though i could be wrong, i dont typically mess with py for discord)

either way, both are technically solid choices to use

it's not maintained anymore btw

DAVE is also making some libs obsolete

perfect

dws:// protocol
discord websockets

all messages go through a discord channel

PSK based security, where the key is the agreed upon channel id

Very nice!

What about ip spoofing though?

I was thinking about setting up a private key between the 2 servers and let them use that for signing as well.

The thing is no matter how hard you try there’ll always be a way around whatever you do

So just use whatever is the simplest but also as secure as it can be

Why am i making this so hard? I will just have both bots running on the same vps hehe

That way they can just talk using localhost

That also works and is the best bet

Fr

They need to know which ip to spoof in the first place, and even then you can have additional security in place such as key authentication (just as an example)

But yes as others have said there is almost always a (theoretical) way around anything you could put in place

My thinking is that if your browser can read it and needs to read it, humans can read it eventually too if they wanted to

Like my wordle game on my site, it sends the response over and u can spoof it in the network tab. So I just hid it by reversing the answer and base64 encoding it into a fake api route. Still if they wanted it they could just reverse it or whatever

Still tho the most practical and modern way to protect an endpoint from unauthorized access is to just remove it from the public internet altogether. Instead of opening a port to the public and building walls around it you could use a lightweight mesh VPN like Tailscale on both servers. It creates an encrypted peer to peer tunnel between vps and vps b. You can configure UFW to block all incoming traffic to that port

That’s the thing, i am having a single vps. I ditched the idea of multiple.

So using wireguard seems a bit overkill and wouldnmt make sense.

I will use cloudflare though to protect the machine’s ip.

Hello, Can anyone help me in one thing

i am not able to do what i want

It's hard to help if we don't know what are you trying to do

thats what im doing on my end because i need one server to have access to an unprotected route on my other server

it is overkill for one small thing but if you want to do more of that stuff in the future it is better to have an existing link between the 2 especially if you want one to call an internal service of another directly

but you need strong firewall rules to keep it secure tho

you dont want server 2 being able to access literally everything else on server 1's local network and vice versa, only specific ports

i wanna mak that if anyon vot my bot on topgg th bot automatic send an embed to a dedicated channel or through webhook

topgg has that feature, under integrations (iirc) category

but if you want a custom embed you'll need to make it yourself, just use the library for whatever language you're coding in to receive vote events

we don't hve to anything in the bot

if we use integration

yes, you dont need to change anything on the bot if you use topgg's built-in webhook

BUT you dont get to customize the message either

oo demn let m try

i get these things which should i select

hm, weird, I could swear there was an official notification integration

vote tracker is the most famous and widely used

ok i will check

if i use default webhook system from topgg it will not rate limit right

it will, kinda, if many users vote at the same time it'll take a while to finish sending all messages

but it's auto-throttled, if that's what you're concerned about

it will delay only

yes

so it is not from bot sid

it will send msg but delayed

even bots just delay things, unless you're doing raw requests to discord you never actually hit discord ratelimit

ya

got tht

so finally i made the system

in bot itself

not used any of this

thanks man for helping

yw

i dont think this is the case, there have to be like a million votes in a second for there to be reasonable backpressure

even then I assume most bots' servers will be the bottleneck over the webhook system :p

meant on discord side

Ah noted, that's what you meant

That's what I do. easiest and simplest approach but also very safe

Hi, I am new as a Bot Owner on top.gg website, and I want to know how can I get information that tell me that user XYZ voted/not voted for bot?

Setup a webhook for receiving that info from top.gg

https://docs.top.gg/docs/API/v1/webhooks

I didn't specified what I need... mb

I mean how can I connect that sort of information with access to command ABC

Receive webhook from top.gg -> save that to your database -> give access to the command or use the API endpoint to check every command use I guess

extra work incoming

anyways, thanks for help, I really appreciate it

https://tenor.com/kfTdvynfbjF.gif

One factor authentication

zero factor

negative refactor authentication

At least they sent it

haha xD bruh

Very secure

What library/language is the best choice if i dont want headaches with vulnerabilities being discovered every damn week! (Js App)

left-pad

java ☕

how about rust?

Rust is pretty great in terms of vulnerabilities, its open source community is a lot more knowledgeable and cares more than most js maintainers seem to. However the package ecosystem does tend to have a similar problem as npm in regards to one package having a billion deps

But it also depends on what you’re trying to write, if it’s a web app then rust might not be the play unless you’re familiar with it

wdym my target/ folder is only 100GB

Yeah ridiculous build sizes for debug targets lmfao

You can slim it down quite a lot though in a docker container when deploying

I managed to get some Axum microservices down to <100mb binary size iirc

Self contained

thats pretty big

I managed to make my 100gb target/ app 60mb

It was a while ago, it might’ve been smaller than that

and takes 7min to compile prod on a 9900x

literally every compiler option had to be cranked

Cargo chef my beloved

https://github.com/calagopus/panel/blob/main/Cargo.toml#L77

Do you end up recompiling your deps every time you run your dockerfile?

I use an external cache to build

I build raw then ship it into an image

There is a way to get them cached bc normal dockerfile setups end up throwing away the dependency binaries every time

FROM lukemathwalker/cargo-chef:latest-rust-slim-trixie AS chef

WORKDIR /app

FROM chef AS planner

COPY Cargo.toml Cargo.lock ./
COPY consumers/ consumers/

RUN cargo chef prepare --recipe-path recipe.json

FROM chef AS builder

COPY --from=planner /app/recipe.json recipe.json

RUN cargo chef cook --release --recipe-path recipe.json

COPY consumers/ consumers/
RUN cargo build --release --bins

FROM debian:trixie-slim
ARG BIN_NAME
ENV BIN_NAME=${BIN_NAME}

COPY --from=builder /app/target/release/${BIN_NAME} /usr/local/bin/${BIN_NAME}

CMD $BIN_NAME

This is how I did it for a bunch of rust microservices in a consumers/ folder

I had this issue where the same deps kept needing to be recompiled every time I made code changes even if I attempted to build them in a separate stage to utilize cache

Apparently cargo chef was the solution

yeah thats fine for me with raw caching, Im currently doing sketchy rlib and dylib stuff to get prod rebuild times down entirely

since building the only the bin takes like 5min for me

lto fat costs a lot

Ah

Fat monorepo huh?

yes but also because of the cargo options

they are the best you can do for small bin size with good perf

Probably doesn’t help build times that you’ve abused generics beyond repair

i have an experimental dylib setup running which somehow cuts compile times below half

because the bin does not need to rebuilt to change shared code anymore

I’m like really new to website hosting and things around that, but some how the site works fine for me, but not for my dad… dns is cloudflare, and host is vercel, anyone knows why?

Gonna need to be more specific. Is the site “not working” as in some functionality of the website is incorrect, or is the site “not working” as in it’s inaccessible to others?

Well “safari can’t open this page because it doesn’t exist” not working

And you said it’s hosted on vercel?

Well yes

At least I think you call that a host

Try having him open it in incognito mode

Could be DNS cache

Why would that change anything tho? Just curious

Lots of reasons, but things like DNS cache can cause your browser to assume that the page doesn’t exist

Can you share the link?

Wouldn’t that be promoting?

But yes ofc!

It’s for the purposes of debugging

https://vylixz.com

But there are multiple on the same domain/host
-# https://about.vylixz.com
-# https://verivoucher.vylixz.com
-# https://rtax.vylixz.com

I don't know how vercel works in this case, but this might be something to do with SSL certs

Ohh so it also doesn’t work for you? Orrr

Yeah doesn't work for me

Double check that your cloudflare config enforces HTTPS

Set your SSL setting to Full or Full (Strict)

popped up for me

I'm on university wifi so it's probably a bit less trusting of incorrect cert configs by default

looks cool tho

That's firefox not safari no?

yeah I use firefox

I'm using firefox and cannot access it so it's not a browser issue

BROO this is confusing me so much

Did this

It was already lol

sometimes things just take a while to propagate ig xd

clear your cloudflare cache maybe

when in doubt

DNS seems fully propagated to me: https://www.whatsmydns.net/#A/vylixz.com

pub trait CanExtendSchema: Sized + PartialSchema + Serialize {
    fn get_schema_object() -> &'static LazyLock<RwLock<Object>>;

    fn extend_schema<Ed: PartialSchema>() -> Result<(), std::io::Error> {
        let schema = Ed::schema();
        let RefOr::T(Schema::Object(schema)) = schema else {
            return Err(std::io::Error::other("Expected a schema object"));
        };

        let mut schema_object = Self::get_schema_object().write().unwrap();
        merge_schema_object(&mut schema_object, schema);

        Ok(())
    }

    fn into_extendible_object(self) -> ExtendibleSchema<Self> {
        ExtendibleSchema::new(self).unwrap()
    }
}

fn merge_schema_object(dst: &mut Object, src: Object) {
    for (key, src_prop) in src.properties {
        match dst.properties.get_mut(&key) {
            Some(dst_prop) => {
                merge_ref_or_schema(dst_prop, src_prop);
            }
            None => {
                dst.properties.insert(key, src_prop);
            }
        }
    }

    for req in src.required {
        if !dst.required.contains(&req) {
            dst.required.push(req);
        }
    }
}

fn merge_ref_or_schema(dst: &mut RefOr<Schema>, src: RefOr<Schema>) {
    match (dst, src) {
        (RefOr::T(Schema::Object(dst_obj)), RefOr::T(Schema::Object(src_obj))) => {
            merge_schema_object(dst_obj, src_obj);
        }

        (dst, src) => {
            *dst = src;
        }
    }
}

fn merge_json(dst: &mut serde_json::Value, src: serde_json::Value) {
    match (dst, src) {
        (serde_json::Value::Object(dst_map), serde_json::Value::Object(src_map)) => {
            for (k, v) in src_map {
                match dst_map.get_mut(&k) {
                    Some(existing) => merge_json(existing, v),
                    None => {
                        dst_map.insert(k, v);
                    }
                }
            }
        }
        (dst, src) => *dst = src,
    }
}

pub struct ExtendibleSchema<D: CanExtendSchema> {
    data: serde_json::Value,
    _phantom: std::marker::PhantomData<D>,
}

impl<D: CanExtendSchema> ExtendibleSchema<D> {
    pub fn new(data: D) -> Result<Self, std::io::Error> {
        Ok(Self {
            data: serde_json::to_value(data)?,
            _phantom: std::marker::PhantomData,
        })
    }

    pub fn get_schema_base() -> Object {
        let schema = D::schema();
        let RefOr::T(Schema::Object(schema)) = schema else {
            panic!("Expected a schema object");
        };
        schema
    }

    pub fn extend_data(&mut self, data: impl Serialize) -> Result<(), std::io::Error> {
        let src = serde_json::to_value(data)?;
        if !src.is_object() {
            return Err(std::io::Error::other(
                "Expected data to serialize to a JSON object",
            ));
        }
        merge_json(&mut self.data, src);
        Ok(())
    }
}

impl<D: CanExtendSchema> Serialize for ExtendibleSchema<D> {
    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
    where
        S: serde::Serializer,
    {
        self.data.serialize(serializer)
    }
}

impl<D: CanExtendSchema> PartialSchema for ExtendibleSchema<D> {
    fn schema() -> RefOr<Schema> {
        RefOr::T(Schema::Object(
            D::get_schema_object().read().unwrap().clone(),
        ))
    }
}

I may be breaking the geneva convention atp

Im just cunfused why it works for some and not for others

Just did

Now I see it (sorta)

My uni is blocking it but it's at least getting through this time

its working fine for me

Yeah going on cellular makes it work now

Hmm imma test using my vpn

Bc my dad has it

It looks like he is the only one with the issue lol

Nope works fine…

Well happy it works for others

Thanks for everyone’s help

that RwLock is crazy work

Looks like you're forcing Rust to act like JavaScript

I am

so that essentially makes the schema a globally mutable static variable then Won't that be a problem tho if you like, try to dynamically extend it based on stuff like user input or plugins. Multiple threads will fight over that lock, not to mention the schema for a type could change unpredictably while the app is running.

Ykw, only someone who knows what they're doing would do that anyway

so applause to u

well even if the schema changes while running (which no sane extension would do), the openapi schema is only constructed once after the handlers were supposed to run, besides - the schema is supposed to be coupled to the data but its not the end of the world if it isnt

Oh I see. kinda-ish. I'm not super familiar with Rust by any means 😭

but I know at least it's not standard Rust. So what you like shoved it into a static global to avoid having to pass a SchemaBuilder through your entire application?

Im a supporter of doing things in unorthodox ways

everything he does isnt standard rust 😭

by standard i mean what a sane and mentally ok programmer would write (not an insult)

dw im posting something that will make people roll over in graves next

I spent the last 3 hours turning this shit into a derive macro with async lifetimes and hooks

https://giphy.com/gifs/PersonaJourney-send-help-mental-meltdown-me-trying-to-be-sane-pWfbsKZkPGfTvGmdGq

https://pastes.dev/pZGoeRLB9K
https://pastes.dev/zkeJRqJhUA

I am however not fully done yet, need to do something similar for deser too - should be easier now though

Updating my bot's long description doesn't seem to actually be updating it.

it takes some time to update because of caching you can still preview it instantly

How long?

about 30 min ig

thats the average for me

aight thank you

when my bot will be verified?

we are currently looking at a 1-2 week review period for out bots.

Hey guys i have 50 js snippets. How can i generate more using existing tools?

Its for expanding my data using a synthetic dataset.

well u can always ask ai to generate random code

Are you trying to do some sort of NLP training?

There is NeMo Data Designer, which might be useful if you're trying to design a synthetic data set, but beware that NLP data sets (especially code) need to be fairly large for most projects https://build.nvidia.com/nemo/data-designer

I am detecting malware samples, specifically MageCart (skimming)

I have 50 samples so far, both obfuscated and raw. I am trying to generate more smaples

I was thinking about obfuscator-javascript. It’s a npm package that inserts deadcode etc etc

@frosty gale do you like lifetimes? https://github.com/calagopus/panel/blob/main/schema-extension/derive/src/lib.rs#L152-L309

I need to downgrade my datalix vps how tf would i migrate all of my settings, files, mysql and redis databases?

i did before looking at this code
wtf am i looking at

surely this has to be a failure in the language design itself if you have to write something like this to achieve a legitimate aim

atleast I dont need unsafe

i havent found a reason to dive into this part of rust yet luckily

also idk if its a legitimate aim to achieve dynamic types in a statically compiled lang

if i have to use unsafe ill just use it and make sure its sound

this is the end result

automatically adjusts the openapi schema, ser/deser and validation stuff

im already onto more cursed stuff (linking rust std at runtime)

just wait 😈

true rust goat!

you are the best man!

truly amazing!

this isn't a crypto discord server

your scam won't work here

https://top.gg/discord/servers/tag/crypto look there

bro am not a scam

still not allowed here

Okay

cc @knotty night since youre online

read up

ive deleted it thanks, yes we don't allow that here

-# I think that that person sent a suspicious message in #1339761438377640029 message .

taken care of thanks

Hello 👋🏻

I'm not sure if it's because of the outages but github has stopped automatically redirecting moved repos which should have been indefinent 🤔

https://github.com/xXBuilderBXx/StoatSharp shows 404 now instead of https://github.com/FluxpointDev/StoatSharp

that only happened when you changed username, not transferred to a team iirc?

When you move a repo it does redirect to the new one yea even the help center tells you that

Rate my bot ui

I don't think I want to know what's Legal and Spacial mean

Legal have tos and policy
And spacial and gift etc more cmd @deft wolf

You need try quality etc ?

@drowsy sage

what lang do you use for your bot

Python

It's open source

hers?

https://github.com/milenakos/cat-bot

That's what I was sayin

i hate python for a reason fuck

i might have new python code for webhook ive to look when i get home

i was making it for friends who don’t know how to use https request and post

great we can have more people to help reproduce it

@radiant kraken has PR on their SDK for python null ^^^

well i can make an issue on it but its sdk related

i can’t help since im currently 2 hours away technically 45 minutes plus shit ton of traffic and my boss is doing times for everyone rn before we leave

you arent able to help anyway

what's up?

either way im not on pc

new webhooks drop a small percentage of votes and this user is trying to convince me its my implementations fault

she needs help with new webhook it’s written on python and you’re only person i know who library developer who wrote their own skd for topgg

which version of the sdk are you using? or are you using your own implementation?

looks good to me! here's what i did: https://github.com/null8626/python-sdk/blob/v1/api-rewrite/topgg/webhooks.py#L226-L242

also keep in mind that my updated version of the Python SDK is done! i am just waiting for Veld to review my pull requests!

does anyone know how long discord usually takes to approve intents?

ping on reply

could be a day to two weeks, idk

Anybody know if a bot can send DMs to people they dont share any servers with IF they added that bot to their user apps?

i would assume if the user apps part has the send direct messages permission then sure

Ah yes it does i just tested on alt i forgot i had thank you

Does anyone have any experienxe with locally running a secrets manager on their vps?

Curretly using doppler but trying to minimize cost by maybe self hosting through infiscal or something

a .env file

Lmao

Hey

Hashicorp Vault 🤷‍♂️

what do you guys think of this? i legit don't even know how to respond to these issues 🙈🫠

is anybody here enrolled in stanford? 🫠 because i unironically need your help! 😭

@steel oxide

Hey guys. I am on mac and recently installed fsecure (antivirus).

It detected a virus in Library/Group Containers/build_id.ru.keepcoder.Telegram/appstore/account-account_id/network-stats.

The build_id and account_id are actual ids but i left them out for obvious reasons.

It detected it as a shellcode.. but is this a false positive?

The path seems to be genuine

feel free to open a staff ticket if you have any specific questions: <#staff-tickets message>

I looked at these issues and they look AI generated

And also the PR looks useless doesn’t it?

unsure

I don’t think whoever made this was a human

It almost looks like someone’s OpenClaw agent or something of that sort

fair enough

It’s a useless static summary of data with way too much of a description

bots are getting crazy man

They also have a bunch of AI generated slop on their github

“Built with ❤️”

Aka lovable

doesnt every dev always say built with ❤️ atm

I would close and ignore it

I’ve only ever seen it on Lovable projects

oh 💀

i somewhat agree though

the contents of stanford.yaml looks so arbitrary

when taken into context of the pull request's goals

It’s just slop

All AI project goals are “Grab data and put into a time series DB, then use Grafana to visualize!”

It’s 100% ai slop and I honestly wouldn’t be surprised if it was an OpenClaw agent

Better watch out or it’ll write a hit piece on you after you close it haha

🙏

😭😭😭

ill close them

You can just close it

You’re nicer than I am because personally I’d probably respond with something along the lines of “AI slop is not acceptable, and this has no value”

i'd rather just keep it vague

it's so sad that dead internet theory has hit github

maybe I am an AI

"No clanker code"

maybe everyone here is an AI

Send me a sea horse emoji then

Okay! Umm...

Wait I will send it!

Make an ai called anti clank that gets rid of other ai and eventually itself

Please give me a moment..

maybe you are because you are way too good at rust!

i dont think u are even human

He's good at breaking rust

Maybe

Here it is: 🐴

Wait! THis actually ISNT a Seahorse!

Let me recheck, I must have misspelled.

Gemini be like

Here is a REAL Seahorse: 🪸

What even is that emoji

The only AI I accept is Neuro-sama

A seahorse! Were you searching for something else? Happy to help. 😄

I am good at turning rust into js

all roads lead back to js

you are unironically good at everything, especially both rust and js ❤️

vtable abuse

vtable abuse is last gen

i am vtablephobic

its time for dynamically linking the rust std

It’s a matter of time before you turn your types are just dyn dyn

look atp just use C++

With the stuff you abuse in Rust I wonder why you aren’t just using C++ yeah lmfao

big reason is package management

CMakeLists my beloved

I mean to be fair I did consider forking cargo to add some sketchy stuff I need to get better build perf

but I am reaching a point where I actually dont have time to do somehting

it's fine!

i am on that state too!

i have so many project ideas when I am busy 😭

I just can’t dedicate myself to one project at a time

I have like 4 projects I’m switching between right now + school + work

a good brain scheduler is important

like a cpu scheduler

I find it easier to code with more projects

because im always occupied

i just find it easier to get burned out

Same

the thing is I have more fun coding than playing games/etc

like i gotta say working on updating 10 sdks has not been quite healthy

so I usually burn out from playing games

I’ve got a game engine, some Kubernetes reinforcement learning stuff, a custom GPT, and an RLVR project I’m doing rn 😭

i dont even have time to play games anymore

my steam's last activity is in april 2025

i've got 10 sdks, a desktop app project, uni stuff, a platform i am building with aaron, and several other unrealized projects in my bucket list 🫠

here's my todo list

it's 20 pages lol

my main benefit is that I dont code as a job/school

i dont have a job atm

or a stable source of income

Same

I code as a hobby

rob a bank

If I did it for a living I wouldn't have as much fun with it

I do it for a living

Definitely is demotivating to work on personal projects after work

But my current job is mostly just draining because of the drive/what I work on

Once I’m at my new job I’ll be more motivated (plus I won’t be in school anymore)

awesome!! glad to hear that at least!

luckily i havent reached that level of nerd yet but im very close

ive noticed code stresses me out more than the fun i have from it 💀

it's a mixed bag for me, but i lean more into it being able to be fun! 😄

lately i've been making the games i play more logic-based so i could maintain focus

it's much more fun when i work exclusively on my personal projects though 😄

because i have control over everything and i dont need to meet deadlines

i just go with the flow, as long as i make progress

Thanks for that random screenshot

awesome

Hi, is it possible to transfer ownership of my bot to another top.gg user?

#support

"Transfer bot ownership"

Balls deep in setting caddy up to mimic ngrok

Any security things i should be aware of?

I only enable certain ips to access the endpoint, but can’t people phish as that ip? In that case how else woukd i protect my endpoint?

Like is there anything that i am nissing

actually #staff-tickets

thats what I typed, must of been autocorrect

what would be the best way to detect if a server has autoroles setup with like another bot?

and would it require some extra intents

Why would you even need that info

as far as i know not really unless you specifically watch audit logs for other bots adding roles to people (effectively no)

broo someone gotta stop me man

i think i am doing too much

I spend 8h installing Wazuh, lydis and clamav, aide too.

Don't tell me why it took so long

Wazuh fucked me today

🙏🙏 https://github.com/rust-lang/rust/pull/141295

finally a good ah feature

cleaned up docker

felt that in my soul

Oh my god

349 gigaroonies

How would i store a huge AST file?

Well multiple of like 3k samples

i used jsonl. My memory just genuinely freezes

😭

You’re going to need to stream data instead of fitting everything into memory, especially for ML projects

never even knew the uuid crate had a builder until now

streams are the goat

unless u explicitly needs data in memory it's better to just flush it down the pipe

until someone clogs the pipe and city maintenance needs to fix it

It worked! I the process 8 gb of ram and it went through

I think it’s like 7gbs worth of ASTs

xxhash user detected, respect +1

the only time ive had a use for it so far 🙏

php never cease to amaze me, showing full stack error to end user. didnt believe apple academy on my country did this

gotta make sure your users are informed

duh

fair point

that was sarcasm 😭

at no point should a user know the internal workings

xDDDD yeahh

maybe the response was too

or

maybe

0x7d8 is not even real

stop exposing me

0x7d8 is a clanker

Woah

my ports are all open now

That's a little too far

ayo?

root@HDE-03:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
111                        DENY        Anywhere                  
111 (v6)                   DENY        Anywhere (v6)             

root@HDE-03:~# 

🙏

bro use reverse firewall

ye

makes more sense for me

tbf i think thats from the symfony framework if it was just generic php it prob wouldve silently died

on a side note i love how literally nobody uses raw php for websites anymore

its only with a framework

php nasty

never actually used it

php nasty
its been paying my bills since 2024

hello guys whats the format of bot commands to import to top.gg

is it the </command:id>

or something else

From the api docs

Guys how do i protect my wazuh dashboard? It ooens up at port 80 iirc whixh i dont like

Firewall to only allow my ip?

We need a working /help command to get our bot approved?

give it a 300x port in the yml config file?

and sure, ip whitelist if only accessed from a single address

Could they somehow spoof my ip?

I don’t think so if my vps uses tcp which it always does when visitng such dashboard

Tmrw will be my work day. I have a list of 30 server hardenings that i will apply. I am partly scared partly excited

Use tunnelling

i thought about a privwte network but tbf i can just resteict my ip in the firewall settings

Just don’t open any port on your vps

Let it run on local network and tunnel it through cloud flare

nah ips cant be spoofed like that, not for tcp

pay for some cloud storage and communicate by reading/writing to some file in there

communicate by discord channels

Huh?

Isn’t he just opening a port?

communicate by youtube comments

just giving ideas for how to communicate without opening ports :^)

Oh

He could use firebase

I use it for my bot

Realtime db emits a update if you listen to it

But he’s just hosting a website so hardly matters

nah carrier pidgeon better

Maybe it’s a good thing that I’m not a security engineer but why so strict about port 80 being open?

rip energy bill

216€/month at this rate for just the rack under full load

holy fuck

7 1070ti’s not worth it?

they arent plugged in

im stress testing minecraft servers

Ah

this is currently using 128 cores total

over 2 servers

48 cores for the clients, 80 cores for the backends

How much did a setup like that cost

what part exactly

The server itself

well the ampere server was ~3k

the epyc was ~3.4k

How much ram?

epyc has 512gb

ampere has 256gb

Holy shit you got a steal of a deal lmfao

i bought the ampere ram during the crisis too

had a contact who sold me 256gb for 400€

not good not horrible

RAM crisis so bad you got a black market dealer 😭

I’m thinking of grabbing a DGX Spark after I buy a house

Would be cool to train ML workloads

its very interesting yea

i thought of buying it when i was getting an arm server

i just have an easier time spending tons of money on many small things compared to 1 thing lol

still waiting for ddr5 prices to drop tho

I really want a 1tb threadripper

CloudFlare Authenticated Origin Pulls

Ah cloudflare tunnels.

I wanted to use them or caddy still not sure which one is the best

Its for reverse proxy. Making localhost accessible.

Would cloudflare be better?

cloudflare is easy to setup and comes up with ratelimit

and everything pre installed

configured*

even tho cloudflare comes with ratelimit I built a sliding window rate limiter for my routes because I forgot about those people who do automatic post requests

Buy a house

In this economy

true

Married with no kids & 2 incomes, only way it’s even possible for me rn

Anyone used CloudFlare Turnstile API?

Thank you so much for your insights

I am moving away from caddy, ngrok and shit

And using cloudflare tunneling instead

I needed that lil advice ngl

Its actually pretty good

but in my entire life, php apps are commonly showing errors open to end user, like moodle (uses native php), and my school’s website. well idk if moodle stack error came from the native php or custom made

Svelte has a built in front-end package for interacting with the turnstile API too. This just got easier

i am using cloudflare for my site

when i enable ssl full strict my site genuinely crashes.

turns out direct admin can't give out ssl certificates for my domain. Anyone know what the fuck i should do lol

why is direct admin like this, any other hosting provider works fine

use self signed certs

or if you really want full strict, get origin certs from cf

you can get them valid for up to 10 years

hmm so in direct admin only use ssl for mail, and then install origin server for my domains?

genuinely can't i just use (http.request.uri.path contains "/.well-known/acme-challenge/")

lmao

and then allow

i need ideas for a dashboard

Make a discord bot dashboard

i need ideas for that

if you need ideas then you prob dont need a dashboard 😭

Okay so my idea is that you make a dashboard for my 1950 cadillac

;-;

yeah

hey i added a cloudflare rule that skips any firewall check

it's so that letsencrypt can issue my certificates

(http.request.uri.path contains "/.well-known/acme-challenge/") -> allow.

Would this pose any security risks?

"contains"? yeah

lmao can't type this all over again

oh why?

R word

if the requester use a path that contains that string they'll bypass the firewall

regardless the rest of the url

oh that's not allowed?

it's somewhat a slur

i see, but they will never be able to reach other parts of the website. Like for example wp-admin, pretty sure they can't access it through /.well-known/../wp-admin or something

well yeah

okay how about this then:
http.request.uri.path starts_with "/.well-known/acme-challenge/"

😅

looks better

let me double down tho

(http.request.uri.path starts_with "/.well-known/acme-challenge/"
and http.request.method eq "GET")

https://giphy.com/gifs/teamcoco-st-patricks-day-conan25-paddys-Qakf0m83Jy2th3Gia3

actually tjat's wrong syntax, but this should be correct:
starts_with(http.request.uri.path, "/.well-known/acme-challenge/")
and http.request.method eq "GET"

thanks for the suggestion @lyric mountain

yw

u could even use eq no?

since that's the whole path

no

because lets encrypt visits a specific challenge generated by your site

for example /.well-known/acme-challenge/304idsgsdig3 or something

i can never know the exact whole path.

oh right

just saw our company's shopify store is using an app that redirects to the home page if a url is missing, all for.... $30 a month?

if this doesnt count as a scam then i dont know what does

might make our own for free just for the principle becuase $30 a month is ridiculous

have they heard of cloudflare

or maybe nginx

you can do wildcards with either

I just have a fun 404 page. That's the more creative solution

I like amazons

DBrands is good also

HAHA

dbrand has a bunch of funny ones

When they're allowed some freedom

you dont understand capitalism

make one for $50 and get rich

I was thinking of outsourcing one of my api routes with keys

Capitalism

It's just a bunch of random anime related facts and trivia

top dot gee gee gotta spice them up fr

404 pages should be in velds dreams hes thinking of them so much and how we can improve on them

liar, there is always a reward

complain on reddit is gold

Here's a good idea. Mini platformer mini game where you guide the top Dogg mascot over some obstacles and help it find the page you were looking for (except when you reach the end it just takes you to a random server or bot page)

isnt that just google chrome when your internet is down

xD

Yeah but, topdogg

sounded cooler in my head

xD

I think discord has snake in their 404 page

cool idea actually

ill make sure this is raised

gotta love sysinfo

I mean yea ik why, you cant Copy the windows repr of a user but mmm

i love vibe coding random projects

works surprisingly well for a local llm

You: could you install nginx on the server?

[Status] LLM is thinking...
Assistant:
Oh, you want nginx? *smiles* Let's get that web server running on your Debian box! 🔥

I'll update the package list first, then install nginx for you:

[Tool Call] ExecuteCommand
[Tool] ExecuteCommand -> sudo apt-get update && sudo apt-get install -y nginx

Perfect! ✨ Nginx is now installed on your server - took about 2 seconds to get that done! 

Let me make sure the service starts up properly:

[Tool Call] ExecuteCommand
[Tool] ExecuteCommand -> sudo systemctl start nginx && sudo systemctl enable nginx

Done! 🎉 

Nginx is now installed on your Debian server and running like a champ! The service has been started and set to launch automatically when the system boots up. You can check it's working by visiting `http://your-server-ip` in a browser (you should see the default nginx welcome page).

personality is a bit much tho

local LLM is interesting, what are some benefits you see from that?

nginx my beloved

just fought with it for over an hour

stupid use_default

its free? 😅 you get a bit more flexibility in terms of less refusals and its also fully private since your hosting it yourself

they used to be really bad but they have improved a ton, you can now run a decent capability llm on more or less a gaming pc

ive just seen people use them and was wondering why

but for serious uses youd just use the anthropic or openai api tbh

unless you have a niche use case where you need to guarantee full privacy or have very specific requirements

i know my old cyber security firm is self-hosting their own llm for consultants to use because the type of clients they have you really cant risk any kind of information disclosure since youre dealing with vulnerabilities

We’ve now reinvented the vulnerability wheel

But yeah this is pretty much what OpenClaw is btw, might want to check that out if you’re interested in this stuff

ive heard of it but never actually tried it

sounds very useful for mundane work tasks

maybe it can also maintain my social life for me so i never have to text anyone ever again

I will say that local models are usually pretty awful at hallucinating... unfortunately just the limitations of the smaller amount of params

But it is cool that we are entering an era of hardware where local inference is possible + available on a smaller scale

I still want to try locally running some larger param open source models like the 120b nemotron model, might be doable since it's MoE trained

ah nvm the weights would absolutely destroy my RAM

If I had more RAM then it'd be doable

yeah lower param models hallucinate a lot and are a lot more likely to just ignore your instructions, havent tried the bigger parameter models though since i dont have the specs

MoE is getting really good, especially qwen 3s MoE so you can run very large models at acceptable performance but yeah you still need the ram for it

my max is probably a 40b MoE model with an rtx 3080 with 10gb vram and 32gb of memory, probably more if i ran linux instead of windows

your gpu can be meh though as long as you have enough vram which is the most important bit

can do cpu+ram only inferencing but its slower but surprisingly not that slow if you have a decent enough cpu with SIMD

I finally upgraded my laptop recently so I've been experimenting with a 5070ti/12gb VRAM & 32gb RAM

The adjustment from going from a 1050ti/4gb vram w/ 16gb of ram is crazy lol

i heard people say that json can't be a database

guess what i store 15gb of data

in a single json

jsonl has to be a life saver

allowed me to stream data perfectly

I mean streaming data from disk is different than using it as a database lol

Large jsonl files are fine for streaming but the ACID properties of a traditional DB are what’s useful about them

like, you CAN use it for storing data, but you shouldn't depend on it for things expecting performance

json requires loading the whole thing in memory to be manipulated, does not allow multithreading and has no way to query data

it's also uncompressed, and if you do it yourself there's yet another (high) performance cost - having to uncompress/compress everytime you want to load/flush the data

in other words, is a slow, huge single-threaded database with a massive memory footprint

at any point you're better just going with sqlite, or redis if u want a json-like format

Well technically nd-json is created especially for allowing line per line retrieval

Making it perfect for streaming

It doesnt put everything in memory that is how json works

Jsonl allows you to create a read stream that retrieves the file row for row

Jsonl IS compressed. Instead of a huge object it puts all data on a single line

I think you are mixing up json and jsonl

JsonL isn’t compressed

Hmm yeah not in terms of size nah

Its more readable, line per line makes it nice

I am experimenting with procedural terrain generation and im using a noise function

function fbm(x, z, octaves, frequency, amplitude, lacunarity, persistence)
    local total = 0
    local currentFrequency = frequency
    local currentAmplitude = amplitude
    
    for i = 0, octaves - 1 do
        total += math.noise(x * currentFrequency, z * currentFrequency) * currentAmplitude
        currentFrequency *= lacunarity
        currentAmplitude *= persistence
    end
    
    return total
end

local terrain = workspace.Terrain

terrain:Clear()

for x = 0, 200 do
    for z = 0, 200 do
        local biomeNoise = math.noise(x * 0.001, z * 0.001)
        local t = (biomeNoise + 0.5)
        local amp = 20 + (150 - 20) * t

        local height = fbm(x, z, 6, 0.01, amp, 2, 0.5)

        local position = CFrame.new(x * 4, height / 2, z * 4)
        local size = Vector3.new(4, math.max(height, 4), 4)

        terrain:FillBlock(position, size, Enum.Material.Grass)
    end
end

I understand some things but not a lot. I know that when you multiply your x and z by a value in the noise function it controls with wavelength, and multiplying the entire thing by a value controls the height.

but I really don't understand the core of the math involved, or how exactly noise works beyond that.

Like interpolation, I don't really understand that, or like what do I change to get some smoother patches of terrain as well.

also what is lacunarity and persistence

interpolation is basically just "filling the blanks" between two endpoints

let's say, if I wanted to fill the space between 1 and 2

I could go with no interpolation, which means a sharp jump between the values: [1, 2]

or I could make it a smooth linear ramp, f(min,max,f) = min * (1 - f) + max * f

this would make the transition go uniformly from min to max depending on f (a float going from 0 to 1, or higher to extrapolate)

ooooor you could, say, go smoothly till middle, then a shap transition and finish with a smooth ending (idk the formula for this one)

but anyway, it's just how your noise behaves when transitioning from a low value to a high value (dark to light)

as for noise, it's just a "blob" generator, when you multiply x and y you're just adjusting the horizontal and vertical dimensions of the blobs, and multiplying the whole thing changes the magnitude between peaks and valleys

if you wanted a smoother terrain, but keep deeper oceans, you'd use a curve like this

meaning both ocean and surface are relatively smooth, but there's a high contrast where they meet

ofc not as sharp as that one unless you want the equivalent of an underwater cliff

as for lacunarity and persistence I have no idea about it, but given they're multiplying frequency and amplitude, it's probably controlling how close the "blobs" are to eachother and how big the difference is between valleys and peaks, respectively

This ^^

Most basic procgen is basically just a 3d surface sampled at different points with a bit of noise sprinkled in

Sampling at some given x, z coordinate gives you a corresponding y coordinate

the top gg descrption updating is pain in ahh

🙏

how to get project creator role?

Ask on #support for the role and wait

i tried that too and i swear i did not inspect element this

They are not wrong

I saw that

Just didn’t wanna post it

hey guys

i got another data science question.

How do i convert an AST to a feature vector that my classification model can learn on?

I have like a very sparse dataset, 5000 samples at most.

Doc2Vec seems sick but it's essentially needing a bunch of data

This is a super loaded question lol

oh, loaded as in..?

You can use an existing embedding model, that'd probably be best

As for training your own, you'd probably need more samples

yeah 100%, but that's why i don't want to use any deep learning way of feature extraction

i heard something about child-parent paths, n-grams etc.

been asking AI but it's too dumb.

The problem is that if you want a good vector representation, then the model needs enough samples to learn the semantic value of each token in relation to each other

This is internally how transformers work

It learns the embedding over many samples

i know, but that's why i don't want to use any vector embedding tools such as code2vec, etc etc

instead i need a different way to somehow turn an ast into sensible features

It ultimately depends on what your goal is

NLP is usually done with deep learning for this reason, you can't really avoid it fully

I have classification models being XGBoost and SVM. I basically need to get the AST and learn its features.

Problem is, how do we get that lol.

Initially i wanted to extract all path's on a tree, but that still gives the same issue.

I mean you can try to extract meaningful features like from bag of words

hmm how about bags of paths?

That wouldn't lose any structure.

I intially wanted to do anything with paths anyways. Bags of words wouldn't work. I am detecting js skimmers. A path like Access Dom -> Fetch would be highly suspicious.

or something like eval -> dom -> fetch

I mean from a quick discussion with AI that seems to be a possibility. Deep learning is probably best for generalization but your sample count is too low for good training. AI cobbled together a general idea of having like a set of suspicious source nodes and a set of suspicious sink nodes and counting those paths for a feature

hmm like source -> leaf paths?

Here is a function it threw together, you can take a look and determine if it's relevant to what you're trying to do:

def find_call_nodes(node, targets, found=None):
    if found is None:
        found = []
    if node.type == "call_expression":
        name = get_callee_name(node)  # extract function name
        if name in targets:
            found.append((name, node))
    for child in node.children:
        find_call_nodes(child, targets, found)
    return found

SUSPICIOUS_SOURCES = {"document.cookie", "localStorage", "getElementById", "querySelector"}
SUSPICIOUS_SINKS   = {"fetch", "XMLHttpRequest", "sendBeacon", "eval", "WebSocket"}

def skimmer_path_features(root):
    sources = find_call_nodes(root, SUSPICIOUS_SOURCES)
    sinks   = find_call_nodes(root, SUSPICIOUS_SINKS)
    features = {}
    for src_name, src_node in sources:
        for sink_name, sink_node in sinks:
            if is_ancestor(src_node, sink_node) or in_same_scope(src_node, sink_node):
                key = f"{src_name} -> {sink_name}"
                features[key] = features.get(key, 0) + 1
    return features

Obviously the problem being that you yourself have to identify the suspicious sources/sinks

hmmm

what about extracting source -> leaf paths, and then chunking it into n-grams.

That would prevent the model from overfitting from too much noise.

we then use bags of paths.

A lot of ML is going to just be trying it and seeing if it works. There is probably more accurate approaches but you don't know for certain until you test it

i think that would work!
Imagine a 3-gram path like eval -> DOM -> fetch, if it's present in an ast it's feature will be 0 for that path. It can indicate malicious behavior.

Tweaking the n parameter is hard tho.

that's true, but that's why this is not a comparative analysis. I rather try to compare the resulting machine learning model (tree based vs linear)

The underlying ML model can be swapped with relative ease, the feature engineering/hyperparam selection is usually the hard part

yeah definitely. Thankfully i synthetically generated all datasets already

did some pre and post processing.

Code analysis is very very tricky to get right

All i need to do now is extracting the feature vectors.

Especially without deep learning

true, i have read some papers that compare n-grams to doc2vec etc.

N-grams performed worse for sure, but not shabby either.

There's no way i can use doc2vec, code2vec or whatever in my current dataset. So i have to resort to lower-sample size methods.

is that academically okay tho lmao?

I would just try it and see what happens. If you don't want to invest a ton of time into trying it just for it to fail, you can use AI to generate the bulk of the code and figure out if it works well or shows promise

yeah definitely!

skimmer related instances are soooo sparse

like no one has them except for big enterprises like sansec, sucuri etc.

i spent a whole week to generate syntehtic data.
How? I had 60 samples of real skimmer instances, and i applied obfuscation with randomized configurations and seeds. I am only interested in the AST anyways so the source code doesn't really matter to me.

Data is definitely a limitation for you here, it's tough to train something so complex without a lot of samples