Patrick Heneise
@patrickheneise.com
JavaScript / software engineer focused on green tech. Outdoor enthusiast based in Boulder, CO, originally from Germany. Passionate about sustainability and the great outdoors.
Driving around Denver is such a nightmare, and worse in the dark. People really don't give a shit. Got cut off by another driver, used my headlights to indicate that was too close and the other driver hits the breaks, forced me to nearly full stop on the highway 😡
December 15, 2025 at 4:24 AM
Driving around Denver is such a nightmare, and worse in the dark. People really don't give a shit. Got cut off by another driver, used my headlights to indicate that was too close and the other driver hits the breaks, forced me to nearly full stop on the highway 😡
December 14 in Denver, Colorado. 19°C, people walk around in shorts and shirts. This is nuts.
December 14, 2025 at 11:08 PM
December 14 in Denver, Colorado. 19°C, people walk around in shorts and shirts. This is nuts.
Reposted by Patrick Heneise
Wild sky 🌌
New Mexico
New Mexico
December 10, 2025 at 4:59 AM
Wild sky 🌌
New Mexico
New Mexico
Reposted by Patrick Heneise
The original React2shell PoC is now public. This is as bad as it gets – full RCE. You must upgrade now. There are mitigations in place in CDNs including Cloudflare, Netlify, Vercel and AWS (and sites on Workers aren't vulnerable to this sort of attack), but there are variants in the wild now.
GitHub - lachlan2k/React2Shell-CVE-2025-55182-original-poc: Original Proof-of-Concept's for React2Shell CVE-2025-55182
Original Proof-of-Concept's for React2Shell CVE-2025-55182 - lachlan2k/React2Shell-CVE-2025-55182-original-poc
github.com
December 5, 2025 at 11:13 AM
The original React2shell PoC is now public. This is as bad as it gets – full RCE. You must upgrade now. There are mitigations in place in CDNs including Cloudflare, Netlify, Vercel and AWS (and sites on Workers aren't vulnerable to this sort of attack), but there are variants in the wild now.
Reposted by Patrick Heneise
Hey @react.dev or @nextjs.org
I did a unique Defensive Coding workshop at DEFCON and NodeConfEU that's exploring techniques to avoid prototype pollution attacks, no matter how powerful.
I'd be willing to run it for free for the teams around RSC.
Do I know anybody who could help arrange that?
I did a unique Defensive Coding workshop at DEFCON and NodeConfEU that's exploring techniques to avoid prototype pollution attacks, no matter how powerful.
I'd be willing to run it for free for the teams around RSC.
Do I know anybody who could help arrange that?
December 5, 2025 at 2:09 PM
Hey @react.dev or @nextjs.org
I did a unique Defensive Coding workshop at DEFCON and NodeConfEU that's exploring techniques to avoid prototype pollution attacks, no matter how powerful.
I'd be willing to run it for free for the teams around RSC.
Do I know anybody who could help arrange that?
I did a unique Defensive Coding workshop at DEFCON and NodeConfEU that's exploring techniques to avoid prototype pollution attacks, no matter how powerful.
I'd be willing to run it for free for the teams around RSC.
Do I know anybody who could help arrange that?
Glad to see some companies still take the Changelog and release notes seriously. 😂
November 26, 2025 at 9:16 PM
Glad to see some companies still take the Changelog and release notes seriously. 😂
Reposted by Patrick Heneise
LLMs write better bash than I do. At least they remember the for loop syntax.
November 26, 2025 at 8:13 PM
LLMs write better bash than I do. At least they remember the for loop syntax.
Really shocked how bad dishwashers are in the US. Never had to soak & rinse that much in my life!
November 26, 2025 at 5:04 PM
Really shocked how bad dishwashers are in the US. Never had to soak & rinse that much in my life!
Reposted by Patrick Heneise
Not sure of the source but lol
November 26, 2025 at 4:31 AM
Not sure of the source but lol
Reposted by Patrick Heneise
Developers, please, enable passkey MFA on your npm account. It's extremely easy, and makes this category of attack impossible. At this point, I feel like it's negligent of GitHub not to require this of all publishers.
no way to prevent this says only package manager where this regularly happens
Shai-Hulud malware infects 500 npm packages, leaks secrets on GitHub
Hundreds of trojanized versions of well-known packages such as Zapier, ENS Domains, PostHog, and Postman have been planted in the npm registry in a new Shai-Hulud supply-chain campaign.
www.bleepingcomputer.com
November 24, 2025 at 11:10 PM
Developers, please, enable passkey MFA on your npm account. It's extremely easy, and makes this category of attack impossible. At this point, I feel like it's negligent of GitHub not to require this of all publishers.
Reposted by Patrick Heneise
Some of us have been advocating this going back since chatGPT launched. It also has other benefits: correcting someone else's work is actually a really good way to learn something yourself.
November 23, 2025 at 9:24 PM
Some of us have been advocating this going back since chatGPT launched. It also has other benefits: correcting someone else's work is actually a really good way to learn something yourself.
Inflation rate over the past 12 months here was 3%, so this “high interest” kids account loses 0.5% annually 🤦
November 21, 2025 at 11:47 PM
Inflation rate over the past 12 months here was 3%, so this “high interest” kids account loses 0.5% annually 🤦
Who came up with the idea that every tiny lib now needs a `.config.js/ts` in the repo root? I don't want to pollute my repo with files that have one or two config variables set. 😩
November 21, 2025 at 4:29 PM
Who came up with the idea that every tiny lib now needs a `.config.js/ts` in the repo root? I don't want to pollute my repo with files that have one or two config variables set. 😩
Eitan @eitans.website is starting off BoulderJS and is looking for support for his computer science students. If you’re in the area, check it out!
November 21, 2025 at 1:12 AM
Eitan @eitans.website is starting off BoulderJS and is looking for support for his computer science students. If you’re in the area, check it out!
Somehow living in Mountain Time means we’re missing most of the internet outages. They mostly happen before the day starts here. 😆
November 18, 2025 at 2:31 PM
Somehow living in Mountain Time means we’re missing most of the internet outages. They mostly happen before the day starts here. 😆
Reposted by Patrick Heneise
board game enthusiasts of bluesky, what are your top 10 board games of all time
November 15, 2025 at 7:04 AM
board game enthusiasts of bluesky, what are your top 10 board games of all time
Reposted by Patrick Heneise
After a few months of targeted attacks on our ecosystem, followed by a confusing and rapidly changing response from @github.com, we wanted to put together some guidance for maintainers on how to help us all secure our supply chain together.
Here is that guidance 👇
Here is that guidance 👇
With npm supply chain attacks on the rise, secure publishing practices are becoming a pressing concern for anyone maintaining npm packages. ⚠️
We've released updated guidance to help maintainers reduce exposure, strengthen release processes, and protect the ecosystem: openjsf.org/blog/publish...
We've released updated guidance to help maintainers reduce exposure, strengthen release processes, and protect the ecosystem: openjsf.org/blog/publish...
Publishing More Securely on npm: Guidance from the OpenJS Security Collaboration Space | OpenJS Foundation
The OpenJS Security Collaboration Space has been working closely with GitHub’s npm team to understand how new security features affect projects and maintainers, especially as threats and tools keep ev...
openjsf.org
November 14, 2025 at 4:21 PM
After a few months of targeted attacks on our ecosystem, followed by a confusing and rapidly changing response from @github.com, we wanted to put together some guidance for maintainers on how to help us all secure our supply chain together.
Here is that guidance 👇
Here is that guidance 👇
Reposted by Patrick Heneise
The latest npm attacks & changes have pushed me to set up Trusted Publishing via GitHub Actions, and honestly it's actually fantastic.
Didn't realise how much hassle & friction manual publishing was. npm version + push --tags is incredibly convenient (and safer + more verifiable for everyone!)
Didn't realise how much hassle & friction manual publishing was. npm version + push --tags is incredibly convenient (and safer + more verifiable for everyone!)
November 13, 2025 at 2:05 PM
The latest npm attacks & changes have pushed me to set up Trusted Publishing via GitHub Actions, and honestly it's actually fantastic.
Didn't realise how much hassle & friction manual publishing was. npm version + push --tags is incredibly convenient (and safer + more verifiable for everyone!)
Didn't realise how much hassle & friction manual publishing was. npm version + push --tags is incredibly convenient (and safer + more verifiable for everyone!)
Really strange clouds along the front range today!
November 11, 2025 at 8:01 PM
Really strange clouds along the front range today!
Reposted by Patrick Heneise
Ever wonder why @nodejs.org drops new versions like clockwork? Here’s the scoop. ⏱️
@rafaelgss.dev shares all the details about the Node.js release schedule in our new series, JavaScript Security Snapshot.
@rafaelgss.dev shares all the details about the Node.js release schedule in our new series, JavaScript Security Snapshot.
November 11, 2025 at 3:28 PM
Ever wonder why @nodejs.org drops new versions like clockwork? Here’s the scoop. ⏱️
@rafaelgss.dev shares all the details about the Node.js release schedule in our new series, JavaScript Security Snapshot.
@rafaelgss.dev shares all the details about the Node.js release schedule in our new series, JavaScript Security Snapshot.
American experiences ✅: another driver stole my parking lot. 😤
November 11, 2025 at 5:08 PM
American experiences ✅: another driver stole my parking lot. 😤
November 10, 4pm in Boulder. Sitting outside in a T-shirt at 20°C. This is insane. 🔥
November 10, 2025 at 10:57 PM
November 10, 4pm in Boulder. Sitting outside in a T-shirt at 20°C. This is insane. 🔥
We have some trees in the neighborhood that boast all autumn 🍂 colors from green to yellow to red and it’s amazing to bike through the streets in the morning.
November 7, 2025 at 4:10 AM
We have some trees in the neighborhood that boast all autumn 🍂 colors from green to yellow to red and it’s amazing to bike through the streets in the morning.