William Woodruff (1.3.6.1.4.1.55738)
@yossarian.net
skeeting in accordance with the universal law.
yossarian.net / blog.yossarian.net
yossarian.net / blog.yossarian.net
I also agree that there are potentially better ways to *structure* this kind of dependency awareness, but a public registry + consensus mechanism requires people to commit to building and operating those things, which isn't trivial! That's something I think needs future work, though
January 9, 2026 at 3:51 PM
I also agree that there are potentially better ways to *structure* this kind of dependency awareness, but a public registry + consensus mechanism requires people to commit to building and operating those things, which isn't trivial! That's something I think needs future work, though
those are good questions that a lot of people had! I covered them in some detail in a follow-up here:
blog.yossarian.net/2025/12/13/c...
TL;DR yes, the assumption is that security scanners provide more value than users incidentally tripping over malware, i.e. universalization is not a concern
blog.yossarian.net/2025/12/13/c...
TL;DR yes, the assumption is that security scanners provide more value than users incidentally tripping over malware, i.e. universalization is not a concern
Dependency cooldowns, redux
blog.yossarian.net
January 9, 2026 at 3:51 PM
those are good questions that a lot of people had! I covered them in some detail in a follow-up here:
blog.yossarian.net/2025/12/13/c...
TL;DR yes, the assumption is that security scanners provide more value than users incidentally tripping over malware, i.e. universalization is not a concern
blog.yossarian.net/2025/12/13/c...
TL;DR yes, the assumption is that security scanners provide more value than users incidentally tripping over malware, i.e. universalization is not a concern
thank you, fixed!
December 29, 2025 at 3:45 PM
thank you, fixed!
thanks for the kind words!
December 1, 2025 at 4:14 PM
thanks for the kind words!
Reposted by William Woodruff (1.3.6.1.4.1.55738)
I'm a big fan of zizmor.sh by
@yossarian.net to provide static analysis of GitHub Actions workflows as I'm working on them. The remediation advice is also top notch, for `pull_request_target` as an example: docs.zizmor.sh/audits/#dang...
@yossarian.net to provide static analysis of GitHub Actions workflows as I'm working on them. The remediation advice is also top notch, for `pull_request_target` as an example: docs.zizmor.sh/audits/#dang...
zizmor - Static Analysis for GitHub Actions
Find and fix potential vulnerabilities in your GitHub workflows and action definitions with zizmor's powerful static analysis.
zizmor.sh
December 1, 2025 at 3:59 PM
I'm a big fan of zizmor.sh by
@yossarian.net to provide static analysis of GitHub Actions workflows as I'm working on them. The remediation advice is also top notch, for `pull_request_target` as an example: docs.zizmor.sh/audits/#dang...
@yossarian.net to provide static analysis of GitHub Actions workflows as I'm working on them. The remediation advice is also top notch, for `pull_request_target` as an example: docs.zizmor.sh/audits/#dang...
that would be so awesome!
November 21, 2025 at 7:18 PM
that would be so awesome!
I didn’t know that! This is like trying ketchup chips in Canada and realizing I couldn’t get them in the US
August 18, 2025 at 11:54 PM
I didn’t know that! This is like trying ketchup chips in Canada and realizing I couldn’t get them in the US