This is also interesting in terms of changing the economics of rewrites, esp. if doing so also forces you to document the things that might have been buried inside human heads.
Greenfield is cheap? Throw away old code as soon as it starts to rot and start from scratch!
Greenfield is cheap? Throw away old code as soon as it starts to rot and start from scratch!
December 18, 2025 at 7:11 PM
This is also interesting in terms of changing the economics of rewrites, esp. if doing so also forces you to document the things that might have been buried inside human heads.
Greenfield is cheap? Throw away old code as soon as it starts to rot and start from scratch!
Greenfield is cheap? Throw away old code as soon as it starts to rot and start from scratch!
Who cares, we'll just have the AI tell us the code is good - why even run tests for it?
December 16, 2025 at 8:16 PM
Who cares, we'll just have the AI tell us the code is good - why even run tests for it?
Imagine the pressure yer man is working under...
December 14, 2025 at 9:10 PM
Imagine the pressure yer man is working under...
Not meta enough.
If you're a team lead, and your team starts emitting a lot more product (lets suppose it's not just "code", lets suppose it's actually "value") - how do you deal with _that_.
If you're a team lead, and your team starts emitting a lot more product (lets suppose it's not just "code", lets suppose it's actually "value") - how do you deal with _that_.
December 14, 2025 at 7:37 PM
Not meta enough.
If you're a team lead, and your team starts emitting a lot more product (lets suppose it's not just "code", lets suppose it's actually "value") - how do you deal with _that_.
If you're a team lead, and your team starts emitting a lot more product (lets suppose it's not just "code", lets suppose it's actually "value") - how do you deal with _that_.
And probably, unfortunately, not just your country.
December 8, 2025 at 8:09 PM
And probably, unfortunately, not just your country.
What's up with those fingers?
December 8, 2025 at 4:32 AM
What's up with those fingers?
Reposted by Dominykas Blyžė
Folks would have seen a warning in sfw within minutes of the original publish, when automated scanning detected the potential malware and it was marked as “potential malware”. Further along in the malware campaign, human review was roughly happening in realtime, so sfw was blocking more quickly.
November 26, 2025 at 8:57 PM
Folks would have seen a warning in sfw within minutes of the original publish, when automated scanning detected the potential malware and it was marked as “potential malware”. Further along in the malware campaign, human review was roughly happening in realtime, so sfw was blocking more quickly.
Use 2FA to publish.
November 26, 2025 at 8:32 PM
Use 2FA to publish.
Reposted by Dominykas Blyžė
every option, including "no 2FA at all", *can* be made secure. The problem is that it shouldn't even be POSSIBLE to publish insecurely - and either way, defaults matter.
OIDC and token-based publishing are default insecure, full stop.
OIDC and token-based publishing are default insecure, full stop.
November 26, 2025 at 8:07 PM
every option, including "no 2FA at all", *can* be made secure. The problem is that it shouldn't even be POSSIBLE to publish insecurely - and either way, defaults matter.
OIDC and token-based publishing are default insecure, full stop.
OIDC and token-based publishing are default insecure, full stop.
Reposted by Dominykas Blyžė
We need them to enforce it on OIDC publish or turn OIDC publish off until it can be enforced, and to treat this with the urgency it needs.
I want to be able to stop having this discussion every other week and go into the new year without more supply chain incidents over the holidays.
I want to be able to stop having this discussion every other week and go into the new year without more supply chain incidents over the holidays.
November 26, 2025 at 7:31 PM
We need them to enforce it on OIDC publish or turn OIDC publish off until it can be enforced, and to treat this with the urgency it needs.
I want to be able to stop having this discussion every other week and go into the new year without more supply chain incidents over the holidays.
I want to be able to stop having this discussion every other week and go into the new year without more supply chain incidents over the holidays.
It's times like these that I become a believer in LLMs overtaking humans in coding. Because the bar is really not that high...
November 26, 2025 at 11:30 AM
It's times like these that I become a believer in LLMs overtaking humans in coding. Because the bar is really not that high...
Next thing you know, there will be legislation that bans well known patterns for matching secrets. You'll go to jail for using a regex. Against your own codebase to avoid leaking them.
November 26, 2025 at 11:27 AM
Next thing you know, there will be legislation that bans well known patterns for matching secrets. You'll go to jail for using a regex. Against your own codebase to avoid leaking them.
Reposted by Dominykas Blyžė
> as in its current state it wouldn’t prevent attacks such as Shai-Hulud and other recent ones.
From our blog, almost like we knew. 🔮
openjsf.org/blog/publish...
From our blog, almost like we knew. 🔮
openjsf.org/blog/publish...
Publishing More Securely on npm: Guidance from the OpenJS Security Collaboration Space | OpenJS Foundation
The OpenJS Security Collaboration Space has been working closely with GitHub’s npm team to understand how new security features affect projects and maintainers, especially as threats and tools keep ev...
openjsf.org
November 24, 2025 at 7:58 PM
> as in its current state it wouldn’t prevent attacks such as Shai-Hulud and other recent ones.
From our blog, almost like we knew. 🔮
openjsf.org/blog/publish...
From our blog, almost like we knew. 🔮
openjsf.org/blog/publish...
I know 😁
Doesn't make his message less ominous if said in the right voice 😁
Doesn't make his message less ominous if said in the right voice 😁
November 17, 2025 at 7:43 PM
I know 😁
Doesn't make his message less ominous if said in the right voice 😁
Doesn't make his message less ominous if said in the right voice 😁
Sounds like a threat to me.
November 17, 2025 at 7:08 PM
Sounds like a threat to me.
Did everyone fire all the UX designers in all the layoffs?..
November 14, 2025 at 7:31 PM
Did everyone fire all the UX designers in all the layoffs?..
Google's mantra in the good old days used to be "don't do things for SEO specifically, just produce good content with good structure, the bots will figure it out".
Whatever happened to good ideas like that?
Whatever happened to good ideas like that?
November 14, 2025 at 7:30 PM
Google's mantra in the good old days used to be "don't do things for SEO specifically, just produce good content with good structure, the bots will figure it out".
Whatever happened to good ideas like that?
Whatever happened to good ideas like that?