happy birthday!! 🎊🎂

your honor, I believe it was Hoobastank who first said, “I’m not a perfect person”

doing the “too small” cele after clogging the toilet at work

🚨 Open source supply chain attacks are exploding.

Starting today, that ends.

We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.

Just run:

npm i -g sfw
sfw npm install lodash

Works for: npm, yarn, pnpm, pip, uv, and cargo.

makes me sad all
over again about the dbacks season 🥲

we now have an @e18e.dev github action which can diff your dependencies in PRs

things like:
- change in trust level (loss of trusted publisher)
- adding >threshold dependencies
- adding >threshold install size
- bundle size difference (vs main)
- duplicate deps

early days so please give feedback!

Zoltan Kochan is a full stack web developer and the creator of @pnpm.io. He joins the show with @joshuakgoldberg.com to talk about the state of package management for web dev.

@kochan.io

softwareengineeringdaily.com/2025/09/18/p...

i read Dark Squares by @danielrensch.chess.com over the weekend and was floored by it. i accidentally stayed up until 2am the first night reading it!

i found it heart-wrenching and life-affirming. i can't recommend it enough

i did this once with `read`. went from 25KB to 23MB

🚀 Announcing TanStack.com Start v1 Release Candidate!

Upgrades ↓

✨ Unified Route Tree: no more server-specific files
🔐 Type-safe middleware & server context upgrades
🛡 CSP/nonce support
⚡ Now works with any native Vite Env plugin
🌀 Zero-JS: any server handler can render!

in game 156 of the 2024 season, the Dbacks went up 8-0 before blowing the game in the 9th. they would go on to miss the playoffs by 1 game.

in game 156 of the 2025 season (yesterday), they went up 8-0 and held on for the win. they're 1 game out of the last wild card spot. this time it's different?

i read Dark Squares by @danielrensch.chess.com over the weekend and was floored by it. i accidentally stayed up until 2am the first night reading it!

i found it heart-wrenching and life-affirming. i can't recommend it enough

dudes rock

SquiggleConf deserves an order of magnitude more attendees

i beat all the staff ghosts in mario kart world. my kids are very proud of me

Hey we're hiring for in-person engineering roles in SF. I really enjoy my job and you might too. Come hang out and build developer tools!

eternally grateful to @friendoftheflower.com for letting me keep my bikes in here

i’m at the flower studio
i’m at the bike room
i’m at the combination flower studio and bike room

im not sure, but thats a good question. my only guess is that this was easier/faster?

had to pivot from the github token to commit and trigger a workflow to get the npm token though

yeah lots of pivots just to get the npm token, then all bets are off

i believe the publish action did run (with the malicious commit included) but only to get the token

reading the rest of your thread i think you realized this :)

i dont believe the attacker used their own actions to publish. they used the action to exfiltrate the NPM_TOKEN available to the action, but then published in some other way (assuming from their local machine)