Playing the classics!

Why be knowledgeable when you can be Kyeswledgeable?

Is it just me, or do LLMs seem to love the word "shape"? "Shape of the problem." "Shape of the solution." Program architecture and data flow? "Code shape." Bug report structure? "Issue shape." One of those "once you see it, you can't unsee it" sort of shapes in life, I shappose.

Today's Daily Cartoon for @newyorker.com by Kevin Maher and me.

Daniel added a very cool detail that many other actions could also adopt: The usage examples in the README pin the action to the specific commit SHA of the latest release.

Instead of doing more, let’s do better.

Whee! Published @badrap/valita v0.5.2 using both trusted & staged publishing just now insert party emoji here

Speeding up the JS ecosystem OXC edition 🚀 We made both oxfmt and oxlint 50% faster on projects with >50k directories. marvinh.dev/blog/speedin...

the trubo is vulnerable

The recent wave of vulnerabilites, found in part with AI, has laid bare just how load-bearing ”scarcity of human attention” has been for the cybersecurity house of cards.

Deno’s FormData, URLSearchParams + Headers show O(n²) behavior in .set()/.delete() when many repeated keys are present. Example: FormData.delete("_") on ~1MB of _=&_=&_=&... Node: ~4ms Deno: ~74s Could turn otherwise reasonable cleanup of untrusted request data into a potential DoS vector. 1/3

7 months to go

More companies, governmental organizations and community projects should adopt the security.txt convention/proposal: securitytxt.org Making security contact discovery as easy as possible is good for everyone. Yes, even within the context of the recent AI vulnerability report slopocalypse.

We will see a huge wave of security vulnerability reports. But this influx shows we should have spent more time on security tooling and research in our projects, rather than treating it as a new paradigm that requires us to change the way we collaborate.

Huge fan of Christopher Nolan’s film trilogy Batman Begins, Batman Continues, and Batman Ends.

Quadratic blowups are like the sun: stare at one long enough and you start seeing them everywhere. I’m very good at similes.

What if there was a man in the middle attack but the man in the middle was like, really chill. What if he was basically a chill guy who didn't mind if you sent a secret or whatever

This started as an off-hand joke, but it made more sense the more we thought about it 😅

me when i get shot

Switched @badrap/valita to ESM-only, pretty cool how @npmx.dev celebrates the package size reduction 🎉 npmx.dev/package/@bad...

A free press makes openness possible for everyone.

Gonna adopt this practice at the workplace. - So that's it for the status meeting. See you next week! - And hey, everyone, don't mention the goblins. - ...What? - Or the pigeons.

Some personal news:

Announcing the general availability of Schrödinger's Pull Requests

There's highly personalized phishing, and then there's this.

Sometimes notifications can be delightful.

Should @preactjs.com implement this new IETF draft? www.ietf.org/archive/id/d...

This is what going on the internet used to feel like

A career highlight for sure!

"Days of arguing about exploitability can save minutes of fixing the bug." -- Socrates, on vulnerability disclosure

A gentle reminder that while `pnpm install` (or `bun install`) doesn't run the lifecycle scripts of the dependencies by default, it *does* run them from the repo's own package.json. Let's be mindful when cloning and exploring all those new & exciting projects on our local machines.

What a demo! Razor 1911 celebrating their 40 years of activity on the scene. www.youtube.com/watch?v=2Anb...

”FATHER WHY MUST I EXIST”

Badrap is happy to support @npmx.dev in an advisory role. A better developer experience can be a boon to security. Easier access to trust signals and tips for avoiding unnecessary dependencies, among other things, help make stronger supply chain choices. Read their intro: npmx.dev/blog/alpha-r...

GitHub's auto-suggest using the display names instead of the account names isn't really doing us any favors. The latter "Dependabot" here is our beloved, and very fake, depenbadot.

brb gonna update some actoins github.com/acticns/setu...

Update: depenbadot just now got its first invite to collaborate on a repository 😟

Worry not, Coplllot is on the case.

It's, uh, less than ideal that I'm allowed to claim a GitHub username like this.

Okay, so it turns this is really, really slow. Which led to CVE-2026-30226: github.com/sveltejs/dev... Thanks to @ell.iott.dev and the rest of the @svelte.dev team for a well-handled vuln process, a pleasure as always 🫡

Wise words

New @react.dev patches released today for CVE-2026-23864. Fixes for DoS issues reported by several people, including Yours Truly 🙂 The blog post at react.dev/blog/2025/12... has been updated with the new info.

O(n²) works great until n+1.

me: move fast and break things my dentist: what

scoreboard

Huge props to the @svelte.dev team for an exceptionally well-handled vulnerability process, despite my terrible timing of reporting the devalue issues just before New Year’s Eve 🙂

OPEN YOU'RE EYES 👁️👄👁️

◉‿◉

Pretty cool that you have to create a Facebook account to file a vulnerability report to Meta.