Bossett
@bossett.social
Profile labeller: @profile-labels.bossett.social
Discord for feeds, lists, mod tools: https://discord.gg/tYuDvuzbVA
Feeds I host (incl. Science 🧪): http://l.bossett.io/w9iM2
he/him
📍 🇦🇺
👾 bossett
📧 [email protected]
Discord for feeds, lists, mod tools: https://discord.gg/tYuDvuzbVA
Feeds I host (incl. Science 🧪): http://l.bossett.io/w9iM2
he/him
📍 🇦🇺
👾 bossett
📧 [email protected]
we have *got* to stop giving them cool names
November 25, 2025 at 4:14 AM
we have *got* to stop giving them cool names
this is the same argument that could have applied to windows xp - biggest, most users, so of *course*… etc etc
I kind of reject the idea that ‘everyone does it this way’ is a good argument when the one that makes the news is npm
I kind of reject the idea that ‘everyone does it this way’ is a good argument when the one that makes the news is npm
November 24, 2025 at 10:36 PM
this is the same argument that could have applied to windows xp - biggest, most users, so of *course*… etc etc
I kind of reject the idea that ‘everyone does it this way’ is a good argument when the one that makes the news is npm
I kind of reject the idea that ‘everyone does it this way’ is a good argument when the one that makes the news is npm
yah and specifically I'm interested in new best practice for CI/CD since we know those environments are becoming more complex and software developers really tend to favour velocity over security
though no one ever does a good job of securinging CI/CD environments, if not npm it's going to be *something* else
not really a generically safe way to work with other people's upstream code & even if we fix *that* we still aren't closer to fixing the 'some packages are just malicious' problem
not really a generically safe way to work with other people's upstream code & even if we fix *that* we still aren't closer to fixing the 'some packages are just malicious' problem
no way to prevent this says only package manager where this regularly happens
November 24, 2025 at 8:18 PM
yah and specifically I'm interested in new best practice for CI/CD since we know those environments are becoming more complex and software developers really tend to favour velocity over security
yeah and there have been some exploits in the area
but... it's also a much clearer line to commercial consequences since security is a 'oh we take the risk and get to move quick and fix it with a press release' v 'oh we take the risk and maybe someone steals our coveted IP'
but... it's also a much clearer line to commercial consequences since security is a 'oh we take the risk and get to move quick and fix it with a press release' v 'oh we take the risk and maybe someone steals our coveted IP'
Microsoft Patches Copilot AI Flaw After Root Access Exploit
Researchers from Eye Security exploited Microsoft's Copilot AI by uploading a malicious script to its Python sandbox, gaining root access to the container without accessing sensitive data. Microsoft p...
www.webpronews.com
November 24, 2025 at 8:09 PM
yeah and there have been some exploits in the area
but... it's also a much clearer line to commercial consequences since security is a 'oh we take the risk and get to move quick and fix it with a press release' v 'oh we take the risk and maybe someone steals our coveted IP'
but... it's also a much clearer line to commercial consequences since security is a 'oh we take the risk and get to move quick and fix it with a press release' v 'oh we take the risk and maybe someone steals our coveted IP'
maybe but I think ultimately "running snippets on our stuff that may be generated by an adversary" is going to mean the protections need to exist outside of the language/runtime
November 24, 2025 at 8:08 PM
maybe but I think ultimately "running snippets on our stuff that may be generated by an adversary" is going to mean the protections need to exist outside of the language/runtime
we need this for things like CI/CD but that doesn't get attached to commercial consequences in quite the same way
November 24, 2025 at 8:04 PM
we need this for things like CI/CD but that doesn't get attached to commercial consequences in quite the same way
specifically these attacks are around npm's behaviour of auto-executing code from the package definition (as a way to bypass analysis tools that only look at the code)
definitely happens elsewhere but npm is designed to make this almost inevitable
definitely happens elsewhere but npm is designed to make this almost inevitable
November 24, 2025 at 7:49 PM
specifically these attacks are around npm's behaviour of auto-executing code from the package definition (as a way to bypass analysis tools that only look at the code)
definitely happens elsewhere but npm is designed to make this almost inevitable
definitely happens elsewhere but npm is designed to make this almost inevitable
what we need is some defensive build processes - hardened CI/CD processes, very limited and JIT secrets, testing that involves detonations/unwanted function checks, compulsory security scanning that hit everything in the bundle - that sort of thing
November 24, 2025 at 7:47 PM
what we need is some defensive build processes - hardened CI/CD processes, very limited and JIT secrets, testing that involves detonations/unwanted function checks, compulsory security scanning that hit everything in the bundle - that sort of thing
it's just going slowly - a lot of people moving off npm (stop blindly executing from package.json), a lot of people doing better dependency hygiene
but all it takes is one gap that has access to a deployment secret and...
but all it takes is one gap that has access to a deployment secret and...
November 24, 2025 at 7:44 PM
it's just going slowly - a lot of people moving off npm (stop blindly executing from package.json), a lot of people doing better dependency hygiene
but all it takes is one gap that has access to a deployment secret and...
but all it takes is one gap that has access to a deployment secret and...
third party bsky client I assume
November 24, 2025 at 7:38 PM
third party bsky client I assume
idk I'm not sure manual updates are really ideal because you're trusting their entire upstream anyway and it's not like anyone is investing in the mass analysis of every LoC in their non-trivial project
November 24, 2025 at 7:36 PM
idk I'm not sure manual updates are really ideal because you're trusting their entire upstream anyway and it's not like anyone is investing in the mass analysis of every LoC in their non-trivial project
dw I bet all the affected maintainers will rotate their secrets and push a known-clean build in <constant time>
November 24, 2025 at 7:34 PM
dw I bet all the affected maintainers will rotate their secrets and push a known-clean build in <constant time>
I feel like this is something the antologists need to talk about more
November 24, 2025 at 5:33 AM
I feel like this is something the antologists need to talk about more
what I need to find is pretty bugs like the redbacks but also I'm not sure I want to go poking around in the shed looking for spiders
November 24, 2025 at 5:22 AM
what I need to find is pretty bugs like the redbacks but also I'm not sure I want to go poking around in the shed looking for spiders
it's probably an API design hint - might be better to return an object that contains an empty array or metadata with a recordCount of 0
that way you can handle undefined with an 'API is broken' exception - in case fetch is missing a body property or something
that way you can handle undefined with an 'API is broken' exception - in case fetch is missing a body property or something
November 24, 2025 at 3:44 AM
it's probably an API design hint - might be better to return an object that contains an empty array or metadata with a recordCount of 0
that way you can handle undefined with an 'API is broken' exception - in case fetch is missing a body property or something
that way you can handle undefined with an 'API is broken' exception - in case fetch is missing a body property or something
they just seem so nervous most of the time
until they get annoyed at something and then...
until they get annoyed at something and then...
November 24, 2025 at 1:44 AM
they just seem so nervous most of the time
until they get annoyed at something and then...
until they get annoyed at something and then...