Pay special attention to "Automation" and "Publish" token types, as they aren't scoped and allow writes. They also never expire.
"Granular" ones are trickier. They MAY be read-only or tightly scoped. It's hard to tell, as the token page doesn't show this info. Their lifetimes can also be very long.
"Granular" ones are trickier. They MAY be read-only or tightly scoped. It's hard to tell, as the token page doesn't show this info. Their lifetimes can also be very long.
September 17, 2025 at 8:01 PM
Pay special attention to "Automation" and "Publish" token types, as they aren't scoped and allow writes. They also never expire.
"Granular" ones are trickier. They MAY be read-only or tightly scoped. It's hard to tell, as the token page doesn't show this info. Their lifetimes can also be very long.
"Granular" ones are trickier. They MAY be read-only or tightly scoped. It's hard to tell, as the token page doesn't show this info. Their lifetimes can also be very long.
This was a very good read. It's also a good reminder to check our own NPM access token pages and maybe delete old lingering tokens.
September 17, 2025 at 8:01 PM
This was a very good read. It's also a good reminder to check our own NPM access token pages and maybe delete old lingering tokens.
Seems that NPM too allows TOTP reuse within the time-step window. Seen a similar issue in multiple services over the years.
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
September 10, 2025 at 1:24 PM
Seems that NPM too allows TOTP reuse within the time-step window. Seen a similar issue in multiple services over the years.
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
NPM supports switching from Authenticator App (TOTP) based 2FA to more phishing resistant WebAuthn based 2FA.
Adding a WebAuthn security key and disabling the Authenticator App is a pretty quick process.
For example Apple Touch ID & Windows Hello work! Physical keys work too, but aren't required.
Adding a WebAuthn security key and disabling the Authenticator App is a pretty quick process.
For example Apple Touch ID & Windows Hello work! Physical keys work too, but aren't required.
September 9, 2025 at 12:36 PM
NPM supports switching from Authenticator App (TOTP) based 2FA to more phishing resistant WebAuthn based 2FA.
Adding a WebAuthn security key and disabling the Authenticator App is a pretty quick process.
For example Apple Touch ID & Windows Hello work! Physical keys work too, but aren't required.
Adding a WebAuthn security key and disabling the Authenticator App is a pretty quick process.
For example Apple Touch ID & Windows Hello work! Physical keys work too, but aren't required.
Update one @types/* package, introduce 80 new indirect dependencies + 16 new maintainers into our supply chain.
August 15, 2025 at 2:51 PM
Update one @types/* package, introduce 80 new indirect dependencies + 16 new maintainers into our supply chain.
As real as it may seem, this heartwarming reunion is fake. Snakes don't have tear ducts.
August 5, 2025 at 11:35 PM
As real as it may seem, this heartwarming reunion is fake. Snakes don't have tear ducts.
Been playing around with AI image generators today. Very impressive stuff!
Here's a handy corporate #cybersecurity poster that lists the first 4 steps to take after getting hacked. Feel free to hang it on your office wall!
Here's a handy corporate #cybersecurity poster that lists the first 4 steps to take after getting hacked. Feel free to hang it on your office wall!
July 15, 2025 at 4:26 PM
Been playing around with AI image generators today. Very impressive stuff!
Here's a handy corporate #cybersecurity poster that lists the first 4 steps to take after getting hacked. Feel free to hang it on your office wall!
Here's a handy corporate #cybersecurity poster that lists the first 4 steps to take after getting hacked. Feel free to hang it on your office wall!
Enter the Hamburgerverse! www.dwitter.net/d/34078 #dwitter
for(i=1400,c.width|=0,x.globalCompositeOperation="xor";i>200;i-=i/6)x.font=`${i}px ä`,x.strokeText("🍔",960-(3+C(.8*t))*i/5,540+(2+S(t))*i/5)
for(i=1400,c.width|=0,x.globalCompositeOperation="xor";i>200;i-=i/6)x.font=`${i}px ä`,x.strokeText("🍔",960-(3+C(.8*t))*i/5,540+(2+S(t))*i/5)
July 2, 2025 at 2:23 PM
Enter the Hamburgerverse! www.dwitter.net/d/34078 #dwitter
for(i=1400,c.width|=0,x.globalCompositeOperation="xor";i>200;i-=i/6)x.font=`${i}px ä`,x.strokeText("🍔",960-(3+C(.8*t))*i/5,540+(2+S(t))*i/5)
for(i=1400,c.width|=0,x.globalCompositeOperation="xor";i>200;i-=i/6)x.font=`${i}px ä`,x.strokeText("🍔",960-(3+C(.8*t))*i/5,540+(2+S(t))*i/5)
Readability may have suffered a bit during optimization.
April 2, 2025 at 7:00 PM
Readability may have suffered a bit during optimization.
TIL: macOS is now perfect. Since version 15.2 you can add the current weather conditions to the menubar!
support.apple.com/guide/weathe...
support.apple.com/guide/weathe...
February 18, 2025 at 8:40 AM
TIL: macOS is now perfect. Since version 15.2 you can add the current weather conditions to the menubar!
support.apple.com/guide/weathe...
support.apple.com/guide/weathe...
Finally, the @preactjs.com team exposed as a bunch of shameless bloat peddlers!
(Check out the Standalone Preact Builder at standalonepreact.satge.net, it's really cool ✨)
(Check out the Standalone Preact Builder at standalonepreact.satge.net, it's really cool ✨)
December 20, 2024 at 9:45 PM
Finally, the @preactjs.com team exposed as a bunch of shameless bloat peddlers!
(Check out the Standalone Preact Builder at standalonepreact.satge.net, it's really cool ✨)
(Check out the Standalone Preact Builder at standalonepreact.satge.net, it's really cool ✨)
VSCode, the Dev Containers extension & its "Clone Repository in Container Volume" command are lovely for compartmentalizing your local dev work.
For example, the Preact Signals repo's (github.com/preactjs/sig...) .devcontainer setup handles things like installing a containerized browser for tests.
For example, the Preact Signals repo's (github.com/preactjs/sig...) .devcontainer setup handles things like installing a containerized browser for tests.
December 20, 2024 at 5:27 PM
VSCode, the Dev Containers extension & its "Clone Repository in Container Volume" command are lovely for compartmentalizing your local dev work.
For example, the Preact Signals repo's (github.com/preactjs/sig...) .devcontainer setup handles things like installing a containerized browser for tests.
For example, the Preact Signals repo's (github.com/preactjs/sig...) .devcontainer setup handles things like installing a containerized browser for tests.
If someone needs logo work done for their Bluesky client, my skills are available. I would describe my style as elegant, timeless and dignified.
December 1, 2024 at 2:50 AM
If someone needs logo work done for their Bluesky client, my skills are available. I would describe my style as elegant, timeless and dignified.
...while this does not 😀 (This applies to v8, btw, haven't tried some of these variations with other engines)
November 28, 2024 at 11:55 PM
...while this does not 😀 (This applies to v8, btw, haven't tried some of these variations with other engines)
It's interesting. For example this goes off the cliff again...
November 28, 2024 at 11:49 PM
It's interesting. For example this goes off the cliff again...
I take no joy reporting that this optimization boosts our type validation code performance by up to 2x.
November 28, 2024 at 10:59 PM
I take no joy reporting that this optimization boosts our type validation code performance by up to 2x.
E N H A N C E ! ! ! ! ! ! ! ! ! ! ! ! ! !
November 22, 2024 at 5:01 PM
E N H A N C E ! ! ! ! ! ! ! ! ! ! ! ! ! !
Marvin visualized the bundle with www.npmjs.com/package/vite... and from there it was just a matter of spotting the two Zod versions.
November 21, 2024 at 8:57 PM
Marvin visualized the bundle with www.npmjs.com/package/vite... and from there it was just a matter of spotting the two Zod versions.
Reaching another million user mark used to be a big deal, but now it's just Thursday. Well done, @bsky.app team 🦋
Also, thanks to @natalie.sh for bcounter.nat.vg. The digital confetti was a nice touch!
Also, thanks to @natalie.sh for bcounter.nat.vg. The digital confetti was a nice touch!
November 21, 2024 at 11:04 AM
Reaching another million user mark used to be a big deal, but now it's just Thursday. Well done, @bsky.app team 🦋
Also, thanks to @natalie.sh for bcounter.nat.vg. The digital confetti was a nice touch!
Also, thanks to @natalie.sh for bcounter.nat.vg. The digital confetti was a nice touch!
One of the rulers of Morioka Park, inspecting the grounds.
November 7, 2024 at 9:34 AM
One of the rulers of Morioka Park, inspecting the grounds.
The rulers of Morioka Park.
November 6, 2024 at 8:01 AM
The rulers of Morioka Park.