btw I periodically have to recommend runcat because it rules. the kitty runs faster when cpu goes up apps.apple.com/us/app/runca...

avoid the next malicious package disaster with pnpm security hardening: github.com/lirantal/npm...


Security Best Practice: Set trustPolicy: no-downgrade so that pnpm refuses to install any package version whose trust evidence is weaker than a previously published version of that package

The peril of laziness lost bcantrill.dtrace.org/2026/04/12/t...

automate the world's misinformation is the new organize the world's information

A Cryptography Engineer’s Perspective on Quantum Computing Timelines The risk that cryptographically-relevant quantum computers materialize within the next few years is now high enough to be dispositive, unfortunately.

Two papers came out last week that suggest classical asymmetric cryptography might indeed be broken by quantum computers in just a few years.

That means we need to ship post-quantum crypto now, with the tools we have: ML-KEM and ML-DSA. I didn't think PQ auth was so urgent until recently.

We've been worrying about UX patterns that train users into dangerous behaviors for a while, but they weren't exploited often.

Alas, it looks like it was just because there was lower-hanging fruit. We've been improving auth stories, so now targeted phishing is moving to looking like innocent UX.

while we're on the topic of axios malware and supply chain security...

I have friends who do blind upgrades in CI and other places. please don't be them. never blindly install software. npm install == sh -c. not worth it.

A historic day for Ecma specs 😉

Supply Chain Attack on Axios Pulls Malicious Dependency from... A supply chain attack on Axios introduced a malicious dependency, plain-crypto-js@4.2.1, published minutes earlier and absent from the project’s GitHu...

🚨 NOT AN EARLY APRIL FOOLS! 🚨

Active supply chain attack on axios@1.14.1. The latest version pulls in plain-crypto-js@4.2.1 -- a brand-new package that didn't exist before today!

If you use axios, pin your version and audit your lockfile.

Socket's Analysis: socket.dev/blog/axios-n...

FYI on April 24th GitHub will begin training on your code for GitHub Copilot so unless you want this forced default opt-in, go to settings and disable 👇

Upgrading my git experience:

brew install difftastic mergiraf

slop is something that takes more human effort to consume than it took to produce. When my coworker sends me raw Gemini output he’s not expressing his freedom to create, he’s disrespecting the value of my time

Noq：n0 基于 Rust 语言的新版 QUIC 实现 Noq: n0''s new QUIC implementation in Rust (www.iroh.computer) 02:17  ↑ 100 HN Points

noq is a new QUIC library in town, written in rust: https://www.iroh.computer/blog/noq-announcement

new post on my personal blog.

i think these three areas often go unexplained, so hopefully this explains why some of these packages exist. these are fine to exist but the majority of developers shouldn't have to pay the cost for them.

Matteo you're in my project 😉
Good collection of skills there at github:mcollina/skills - thanks buddy!


Heads up, this uses Tessl skills manager so I can version, compose and track these agent skills. Nice CLI. Recommend.

.@nodejs has always been about I/O. Streams, buffers, sockets, files. But there's a gap that has bugged me for years: you can't virtualize the filesystem.

You can't import a module that only exists in memory. You can't bundle assets into a Single Executable without patching half of core.

👇

Delegates of TC39 in Google's Chelsea Market office

ECMAScript excitement 😉

This week in NY @tc39.es advanced these proposals 🎉

4⃣ Intl Era/Month Code
4⃣ Temporal
3⃣ Import Text
2⃣.7⃣ Error Stack Accessor
2⃣.7⃣ Iterator Includes
2⃣ Intl Unit Protocol
2⃣ Thenable Curtailment
1⃣ Error Code Property
🗑️ Dynamic Import Host Adjustment

Looking forward to reunite with friends for 𝐀𝐈 𝐍𝐚𝐭𝐢𝐯𝐞 𝐃𝐞𝐯𝐂𝐨𝐧 2026 in London on June 1-2


You'll learn about building real AI-native systems at production scale and my talk is going to be on AI Agents and Skill Security ✨


RSVP: tessl.io/devcon

pnpm + Git Worktrees for Multi-Agent Development | pnpm When multiple AI agents need to work on the same monorepo simultaneously, they each need an isolated working copy with fully functional nodemodules. Git worktrees combined with pnpm's global virtual s...

pnpm + Git Worktrees for Multi-Agent Development

pnpm.io/11.x/git-wor...

perf(ext/web): reduce promise allocations in streams by bartlomieju · Pull Request #32652 · denoland/deno Summary Collapses uponPromise's double .then() chain into a single .then() — the second chain only caught internal assertion errors, now handled via try/catch in wrapped handlers Converts setP...

TransformStream will be up to 16% faster across the board in Deno v2.7.6. No changes needed in user code.

github.com/denoland/den...

So here's why we experienced a problem with Eurosky last night 🧵

Our systems (the PDS) were up and running as normal. The issue was that data from our systems stopped flowing into the part of the network (the relay) that lead to the Bluesky app.

THE DREAM IS ALIVE

Vercel is a good example for an AI native company. They've fully embraced agents and agentic workflows, especially within developer tooling. They're dev-oriented to the bone. Nicely done here.

h/t to Rhys for sharing

I guess we're real now!

Node.js — Evolving the Node.js Release Schedule Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

Node.js is moving to one major release per year starting with Node 27! 🚀

✅ Simpler: Every release becomes LTS.
✅ Predictable: Version numbers now align with the year.
✅ New: A 6-month Alpha channel for early testing.

https://bit.ly/4rnosLg

4376 now on @eurosky.social active in the last 7 days 🚀

Pwning Claude Code in 8 Different Ways Introduction Hello, I’m RyotaK (@ryotkak ), a security engineer at GMO Flatt Security Inc. A few months ago, I came across an interesting behavior while using Claude Code—it executed a command without my approval. Since I wasn’t using the permission bypass mode, I decided to investigate further to understand why it was able to execute commands without explicit approval. TL;DR I discovered 8 ways to execute arbitrary commands in Claude Code without user approval.

Pwning Claude Code in 8 Different Ways from RyotaK is a good write-up on command injection vulnerabilities spawning life in AI coding agents: flatt.tech/research/pos...


I highly recommend reading. Personally relatable since I wrote a Node.js secure coding book on this topic in particular and argu

Practical Decentralization The point of decentralization is to guarantee the rights of individuals and communities on the Internet. Pulling that off is a balancing act between practicality and ideology.

New blogpost about atproto

It's not federation, it's not a p2p mesh. It's a secret third thing: practical.

www.pfrazee.com/blog/practic...

Just finished migrating my account to @eurosky.social. 🇪🇺

I love having the option to switch providers while preserving all my posts and connections. 😍