I dunno, I’m still pretty surprised the MCP server auth process could pop a calculator on widely adopted clients. The protocol isn’t perfect but that’s totally unnecessary unsafe. Glad it’s fixed!
...and they used some random package with version 0.0.1 instead of writing 20 lines of code themselves.
It's astonishing how allergic some people are to writing their own code, even the simplest shit has to be a dependency. Let's increase the attack surface, that's fine, what can go wrong, right?
You have a valid point about dependency management in general, but in this case, the v0.0.1 package was created by the same author "geelen" as the commit you linked. So, they're not allergic to writing the code, and it's not "some random package".
What happened to Allen here sucks. I've messaged the team so we can dig into this specific case. More generally, we know that Slides needs to be bulletproof when presenting, and nothing less than that is acceptable.
As an FYI, we _do_ use Figma Slides internally for pretty much everything, from internal meetings to major events. As a PM I use it every week, and our internal feedback channel for Slides is super active with folks like me requesting improvements. Figma is also a pretty unique place, where it's more likely our senior leadership request quality improvements than chase for deadlines - we know how critical the user experience is. We don't always get it right, but when we don't we're committed to fixing it.
> As an FYI, we _do_ use Figma Slides internally for pretty much everything
I think this is part of the issue. How much of the internal use stays within the editor view? Do you have any internal stakeholders who won’t click a Figma link and instead want a PPT or PDF? Because those are normal requests for presentations - but not ones that you’d find with internal use.
For example, there needs to be a way to export to PDF that’s less than several hundred MB. And the PPT export is hopelessly broken - the outputs look like a clipped ransom letter.
I'm usually building my slides in Figma (the original app), and I've learnt to run the PDF exported by it (hundreds of MB) through Adobe "Compress PDF" online utility that gets it to <10 MB. Would be great for the Figma-exported PDF to be small right away.
on a tangent, being in the video industry, for me to see a file only in the hundreds of MBs wouldn't even get my attention. it's funny how used to the boiling water one gets when it happens slowly. of course a PDF is not a video file, so maybe something would feel hinky???
sending files over email is just extremely common, staying lower than 15mb is almost a requirement to facilitate easy communication in many businesses
Also, I tend to have OneDrive sync my active projects, including the steerco and update slidedecks, to my iPad, to read on my iPad when travelling or commuting. Small decks are so much more pleasant to deal with, and can easily sync over a mobile connection
Regardless of the specific bugs he ran into, it is a product that only works well online, despite how difficult it is for a user to know for sure ahead of time what kind of connection will be available when it counts. Isn’t that just a fundamental miscalculation for this type of product? It’s almost guaranteed to put a certain percentage of your users in an embarrassing situation in front of an audience.
There is an offline feature, it just didn’t work properly.
Having offline access to documents is a solved problem in cloud-backed apps, including Figma. All of the comments about the cloud component must be from people who have never used Figma. It’s not an inherently broken thing, it was just broken in Slides.
Figma’s other tools are generally good. That’s why it’s so confusing that they released Slides in such a broken state.
But I’m talking about Slides, not Figma in general. Presentation software actually working correctly when you have your presentation is mission-critical.
>despite how difficult it is for a user to know for sure ahead of time what kind of connection will be available
In 2025 it's a safe assumption to assume the user always has internet access. I've never had to worry if I will have internet access when I go to an event.
The user will always have internet access - except when it suddenly drops out during that one critical meeting.
Doing a presentation at a conference? The hotel promised there would be "internet", but failed to mention all 10.000 attendees would be sharing a 10Mbps link. Doing a presentation at another company? They've got an overly-aggressive firewall on the guest network, so Figma isn't loading - and your provider decided to temporarily block your 5G tethering due to "misuse". Presenting a keynote at Computex? Guess Figma is having an outage, better tell the hundreds of journalists to come back tomorrow!
Your internet may have always worked so far. Are you willing to bet your career on some random 3rd party internet connection - or Figma itself - never having an outage?
> Doing a presentation at another company? They've got an overly-aggressive firewall on the guest network
This happened to me lol. I copied a demo video from our landing page, and the host company somehow blocked our CDN, so the demo slide is just a blank page. Have to mouth the whole demo from memory, not too bad but it's really awkward.
> The article said that it handles drops of internet connections fine.
I ... don't think it does? It states the exact opposite at least twice:
> Just because you have a presentation open and loaded, doesn’t mean you can present it. If you are offline when you actually click Present, it will barf.
> Once you are presenting, you can click to “download” the presentation to be available offline – but be careful not to close the tab or it will undownload!
Events are actually one of the last places in the populated world without reliable internet, either from dead zones in a lot of facilities or overloaded wifi & local networks.
This is a bad assumption to make. There are infinitely many reasons why the internet could be not working currently. This is just lazy engineering and a lack of testing.
That doesn't change the fact that your point about internet always being available is not accurate at events with lots of people where networks may struggle or be overwhelmed, and there is a lot of interference. Not to mention, devices can have issues, there can be interference, etc.
When I walk into a client's office for a meeting, I like to be able to plug into a projector and talk through my slides (which I export to PDF for simplicity). I don't want to have to ask for a guest Wifi password or anything else technical. As a result, I usually give presentations offline, unless the projector needs me to connect over the internet. Sure I could tether my laptop to my phone, but why add a dependency?
Thanks Grey – other than the presenting-at-an-event flow I do really did like the Figma Slides experience, so this is great to hear. The world is better off with a strong Figma.
This is the epitome of “on our low latency 10 Gbps dedicated link to our servers it works fine!” response that I’ve learned to expect from all large corporations.
Now try your product, but use only WiFi tethering to spotty 4G… shared with fifty other people and tell me your cloud service “just works”.
The classic recommendation would be Passau - Vienna as the infrastructure is very well built out and Vienna is a great destination. This can easily be combined with a start in Munich and taking the bike back on the train to Munich for a round- trip that takes around 5-7 days (+-500 km).
That being said a few other sections come to mind:
- the very start from Donaueschingen to Regensburg is on beautifully wild cycling paths in the middle of nature with a number of interesting cities along the way
- Vienna - Budapest + train back is another fun loop including 3 capitals!
- For the more adventurous, the Serbian part is very scenic too. Belgrade is great. Leaving it on the busy road not so much. After that you quickly find yourself on a meandering road along the shore with spectacular cliffs and tunnels. No cycling path anymore. But well worth it.
- Romania is still challenging for cyclists, but the delta is very spectacular if you get a chance to visit it (by boat, no bike , as there are no roads).
I've been building mentions.us[1] - it sends you alerts when your keywords are mentioned on Hacker News, Reddit, Bluesky, LinkedIn and a few other places. For anyone who uses F5Bot, it's similar but with some extra data sources and a Slack integration.
It's been a fun project. Dealing with the scale of Reddit (~300 posts/second) creates some interesting technical challenges. It's also let me polish up my frontend development skills.
I don't think it will ever be a money spinner - it has ~70 folks using it buy they're all on the free tier. It's felt really good to build something useful, though.
You just got a signup :) Free plan, I'll admit. I don't need or want anything other than email notifications, and the free plan for that is very generous. Thanks for building this.
For the social platforms, are you hooking up to their APIs or just using Google? I'm only interested in emails and would pay a small price for that (say 5-7/month). I've signed up and added my first keyword to test.
That being said, here is an additional feature: being able to track discord/slack/telegram by providing my API key and you streaming the content of the groups I've signed up to.
We’re hooking up to the APIs - the goal is to alert you of mentions as quickly as possible, so waiting for Google to index results would introduce (much) too much lag.
Interesting feature request! I’ll have a think on it.
This is really interesting, thanks for sharing! I'm keen to know how it compares to a tool like Pulsar? I've been quoted a huge amount to use their service, and it looks like mention.us basically fulfills the same social listening function? If it does then I will definitely push my org to sign up!
Thanks! I haven't used Pulsar, but the general answer is that mentions.us is focussed on sending you alerts for notifications, whereas more sophisticated social listening tools provide a lot more analytics (e.g., sentiment analysis).
If your company just wants alerts when their keywords are mentioned on social media then mentions.us should work great for them. If you work for Coca Cola then you likely need something very different from your social listening tool!
Sounds very cool. I'm curious how you manage to monitor Linkedin though.
The only tool that seems capable of monitoring Linkedin is https://kwatch.io , so if you manage to achieve that too it's impressive.
Perhaps it would be of interest to people into social media marketing or people trying to build social media presence. Keywords mean a lot to them. I'm sure you've thought of it. Perhaps that is where market potential exists for it.
your pricing is little confusing, for free you are providing 100 keywords, and for you most expensive plan you are providing also 100 keywords, in fact only diff between these two is slack notification.
What's the motivation behind this pricing plan?
I put more details in a reply to another comment, but basically I think the number of people willing to pay for email alerts is small, so I’ve made the service free for them. It’s only teams who want Slack notifications who have paid plans.
I’m not optimising to extract every possible $ from the market with that pricing strategy. Instead I hope it will maximise the number of users whilst breaking even on costs.
Looks very interesting!! I registered and found an issue: when I add the mention keyword, it shows two results, but after saving it, it shows zero results. I tried checking mentions for my side project DollarDeploy.
Thanks for the feedback! For saved terms we show you the number of matches we’ve notified you about, which always starts at zero, whereas during creating we show you how many you would have matched. That’s a confusing UI and I should improve it
I think most of the people who sign up for email alerts would never pay. Lots of them are indie hackers or folks with a side project - I've been there, and know how price sensitive those communities are. I'd rather they use the service for free than not at all - I get valuable feedback from that, a marketing boost if they tell others about it, and the validation of having built something other people use.
I do have a paid plan for people who want Slack notifications, and I think those folks ought to be happy to pay. My hope is that I'll eventually get a few paid signups and that those will cover the costs of the service (which are minimal).
I know I lose a bit of revenue with the above approach, but it's a tradeoff I'm happy to make.
Through the API - in particular the info endpoint[1], combined with the fact that Reddit IDs are base36 encoded sequentially increasing integers[2]. You can get 100 objects at a time, so if you make ~3 requests a second it's enough to get all of the new posts and comments.
Can we take a moment to appreciate how good the disclosure and coordination process on this were?
* Reported to the maintainers privately
* Patch published and CVE issued before wider disclosure
* Automated fix PRs created within minutes of public disclosure (and for folks doing proactive updates, before)
The above is _really_ excellent. Compare that to Log4j, which no CVE and no patch at the time it became public knowledge, and it's clear we've come a long way.
Supply chain security isn't a solved problem - there's lots we can still improve, and not everything here was perfect. But hats off to @leerob and everyone else involved in handling a tough situation really well.
I'm a bootstrapped solopreneur at the moment. I would maybe use this, but I generally DIY everything. For contracts, for example, I'd probably just dust off the YC template, make a few tweaks, and not sweat it. For my T&Cs I took another company's terms and made edits where I thought it was important. Definitely not legally watertight, but good enough for my purposes.
Solopreneurs are amongst the most resourceful folks out there, and also the most price sensitive, so we're a tricky market to go after.
I'm building mentions.us. It's a simple idea - alerts for keyword mentions on Hacker News, Reddit, Bluesky, etc., but has been a fun project. I wanted to build something that had broader coverage than F5Bot (which is excellent) and supported sending notifications to Slack.
Right now I'm working on adding LinkedIn support now (trawling through private APIs).
I've been building https://mentions.us for the last couple of months. It's a little web app that monitors Reddit, Bluesky, Mastodon, Hacker News and a bunch of other sites for keyword mentions. Not an original idea (F5Bot has existed for at least 8 years) but a fun project, and I think it can make a contribution by monitoring more sources and having a free tier that includes sending Slack messages.
It has taken a couple of months to go from idea to a product that's polished enough for other people to use, and I've been full time on it. It has a couple of dozen companies using it now, almost all from the last couple of weeks. That's been a big boost!
Yeah, it's on my list. When you're scanning sites with high volume (Reddit has ~300 posts per second, Bluesky has ~100) you have to keep things fast and cheap, so I think keywords still have a role, but I think they can become an implementation detail.
My plan over the next couple of months is to build the option for users to enter the kind of things they want to scan for, have AI convert that to keywords, use the keywords for the (fast) scanning, and then apply additional filtering using AI to the small number of posts that match.
Not built yet, but I think there's a bunch of promise to using AI to find relevant conversations online.
Re: APIs, yep, all APIs. I'm not doing any web scraping at the moment
I’ve found that everyone learns in different ways, and if having mentors / seniors to absorb knowledge from is how you learn best then I’d agree with the comments suggesting you change roles.
However, if you learn well by doing, or by reading, there are loads of other great ways to improve technically. I’ve made big leaps forward in my skills by building (relatively large) side projects, where I can safely experiment with different design decisions and see the consequences over time. I’ve also got a huge amount out of just sitting down and reading the docs for tech I’m interested in - some frameworks (like React) have fantastic resources that can take you from good to great.
