I wrote a thread about my home and IoT network setup, but it's on the non-corporate network: fosstodon.org/@dominykas/1...

There's a Lithuanian band who like to sing Killing in the Name during protests which is all nice, but really - where's the Know Your Rights of 2026? Any Bob Dylans still exist?

Wtf @isaacs.bsky.social?

Today's news is all Trump and no Epstein files, how's that happening?

I wonder how much of the world's pain could have been avoided had Obama been a liiiiiitle bit less peaceful (and not received that Nobel...)

It's enough to copy/paste your code styleguide into an AGENTS.md to make the news these days. I mean I really like that documentation is having it's 15 minutes of fame, but really - I don't get it.

aspirational

I want to produce some code 😭

Good thing I never stopped.

Thinking about the fact that most EU leaders still have an account on the American non-consensual child pornography website...

Well that will look great in the spreadsheet column called "Copilot sales" 🤭

So I built this over holidays: github.com/owhelm/helm-... It allows you to embed Kustomizations in your (wrapper) Helm charts to make changes to things that your dependencies don't expose the controls for. It still has work remaining, but it should be usable as is, at the very least as a PoC.

How come it's so hard to get 100% coverage in Go? Testing the error conditions is (unpopular opinion) more important than testing success cases (which generally just work and immediately give you like 50% coverage, depending on language).

Go's os#Root is nice. We should have it in Node.js.

The Claude Code integration in IntelliJ IDEA feels like it was built with Claude Code. The Copilot integration feels like it was built with Copilot. Make of it what you will.

So are you having your "oh shit" moment with LLMs today, or are you leaving that for tomorrow?

All the LLM tooling building their own chat interfaces with utter rubbish editors is deeply frustrating. I already have years of experience using chat interfaces. Make your chat interface work the way I expect. Give me all the features I have in Slack. Vibe code this if you have to.

No way this is actually happening 🥹 github.blog/security/sup...

It looks like @economist.com spent all the moneys on trying to make their mp3s not available, yet it took me all of 15 minutes to circumvent all of that. Look, folks, I pay you to make my life easier. You could have just not spent all that engineering effort and produced more content instead.

Every time I need to step out of the npm ecosystem, I immediately "you live like this?"

❗️Node.js Security release pre-alert ❗️ We will release new versions of v20, v22, v24, v25 release lines on or shortly after the 15th of December 2025 in order to address: * 3 high severity issues. * 1 low severity issue. * 1 medium severity issue. nodejs.org/en/blog/vuln...

Hey @react.dev or @nextjs.org I did a unique Defensive Coding workshop at DEFCON and NodeConfEU that's exploring techniques to avoid prototype pollution attacks, no matter how powerful. I'd be willing to run it for free for the teams around RSC. Do I know anybody who could help arrange that?

Am I getting it right: your so called president is pardoning a person convicted for drug trafficking, while blowing other alleged drug traffickers out of the water? And he will get away with it?

Can't get over the fact that external security vendors are able to block malicious npm packages faster than Github.

Folks would have seen a warning in sfw within minutes of the original publish, when automated scanning detected the potential malware and it was marked as “potential malware”. Further along in the malware campaign, human review was roughly happening in realtime, so sfw was blocking more quickly.

every option, including "no 2FA at all", *can* be made secure. The problem is that it shouldn't even be POSSIBLE to publish insecurely - and either way, defaults matter. OIDC and token-based publishing are default insecure, full stop.

We need them to enforce it on OIDC publish or turn OIDC publish off until it can be enforced, and to treat this with the urgency it needs. I want to be able to stop having this discussion every other week and go into the new year without more supply chain incidents over the holidays.

Hello? Microsoft? Any humans still there?

@socket.dev hey folks, it is a bit unclear from your post, but which of the recent attacks was sfw able to catch in practice?

> as in its current state it wouldn’t prevent attacks such as Shai-Hulud and other recent ones. From our blog, almost like we knew. 🔮 openjsf.org/blog/publish...

"grok". He friggin ruined the perfectly great word "grok". What an asshole.

A lot of repos already have this information. Why are they being forced to put it in a different format in a different location for robots? Or did the robots get trained on human behavior to not read existing documentation? github.blog/ai-and-ml/un...

Node.js is actually good now. Opened a repo that has code that's probably some 7-8 years old, because it had a renovate PR for a while. Closed the renovate PR and instead removed 6 dependencies, replacing them with built-ins.

Not that anyone here needs to hear this, but for the record, in a democracy "people voted differently from the way I expected or hoped" does not constitute evidence of fraud, no matter how many pretty charts and graphs of "voting patterns" you make.

I see a lot of people here being smug about AWS having a major outage. 😞 What happened to #hugops?

I was going to say that staying in your neighborhood on a Saturday is not a protest, but a picnic. However that video 😲

To give some credit (I don’t mean to be so harsh) it is a series of *really deep* paper cuts. But the real ailment is internal bleeding, and neither bandaids (the right paper cut treatment) not the cast fix the problem. We need forced 2FA supported from CI.

Someone should make one of these giant frog style costumes that looks like an Irish Mammy. Then you can protest as Aunt Aoife.

Get a permanent access to publishing with a single factor as long as you publish from github but no 2fa totp for your setup that can't be stolen at scale.

Why are @github.com tokens allowed to have no expiry but @npmjs.bsky.social are about to make every IT team's lives a living hell? This is just more security theatre. Think harder @microsoft.com.

copilot is smarter than ever (we no longer have accurate counts of pull requests on the pull requests tab)

🚀 BIG NEWS: We just shipped @platformatic/python - run Python ASGI apps INSIDE your Node.js process! This changes everything for AI/ML + Node.js apps 🧵 youtu.be/8eAAP9IF4xA

Wha?! How is this even possible? Almost 1 GiB per day? I don't even watch the videos or anything.

Just received an SMS from an unknown number. Moments after, Google changed that to show me the first and last name of the person. How is this legal?

What are people using to track their reading these days? Goodreads, Storygraph? #reading

Will Github ever take spam detection seriously? Aka at all? They don't have even at the most basic blatant spam detection that any self-respecting email provider had 15 years ago, and now that we have AI you'd think it would be useful at least for this. Why do I have to keep doing this manually?

My assessment is that they're forcing people into Github Actions while not solving any of the recent problems? github.blog/security/sup...

How come verdaccio does not have a way to quarantine packages for a number of hours? Anyone tried building a plugin for that?