here's the securty insights you get when you run the `npx repolyze` on the unhead npm package (known to have previous vulnerabilities that were fixed)

what if you had a CLI to analyze your repo source code for common issue hotspots from git commit patterns?

$ npx repolyze

doing DevRel means you get to work on a lot of fun projects, building a telnet server in 2026 for RSA that is essentially a thin BBS to showcase Snyk AI Security platform has been one of those things :-)

back in February when OpenClaw was getting exponential by the hour, I deep-dived into agent skills security research with the awesome AI security team at @Snyk

now I'm gonna share with you a bunch of these learnings and findings at Tessl's AI Native DevCon in London on June 1-2

who's coming??

y'all coming to AI Native DevCon in London tessl.io/devcon/?

would love to see ya there (June 1-2) and talk about agentic development security topics, I'm sure you have many questions! 😉

if you want to compare tokenization side-by-side to compare different texts check out: token-compare.pages.dev

ok seriously not sure why I waited so long before deploying static websites to Cloudflare...


actually super easy and nice DX
good job CF peeps!

frigging love open source devs

Cloudflare imagine the DX for wrangler CLI if you can help alleviate env vars resolution in smarter ways

another very nice catch by Qodo AI code review bot that prevented potential insecure guidance to a npm security best practices repository

the details matter!

why in the frigging hell this repository list is not ordered properly?

github do you really think I want to select a repository from 2014 to give an app access to? please fix

dependency cooldown across package managers (npm, bun, pnpm): github.com/lirantal/npm...


These configurations prevent package managers from installing any package version that was published less than the specified time period ago


btw Snyk automatically includes a built-in cooldown period for de

avoid the next malicious package disaster with pnpm security hardening: github.com/lirantal/npm...


Security Best Practice: Set trustPolicy: no-downgrade so that pnpm refuses to install any package version whose trust evidence is weaker than a previously published version of that package

avoid the next malicious package disaster with pnpm security hardening: github.com/lirantal/npm...


Security Best Practice: Set trustPolicy: no-downgrade so that pnpm refuses to install any package version whose trust evidence is weaker than a previously published version of that package

prevent the next npm supply chain security incident with pnpm security hardening:

your daily reminder for npm security best practices

not gonna lie, I feel like I'm back at uni again

GitHub - lirantal/tokenu: a unix-like du command line tool to count token usage per files and directories a unix-like du command line tool to count token usage per files and directories - lirantal/tokenu

tokenu - give your agents a CLI to count tokens size of files and directories: github.com/lirantal/tok...

I put together a new PyPI Security Best Practices for Python package managers (uv and pip) github.com/lirantal/pyp...

Appreciate review and assistance keeping this one up to date ✨

nock is a popular and well-known HTTP mocking library for JavaScript but version 15 had a provenance regression

how do I know?

$ npq nock

also works with

$ npq install nock

which pass-through to your package manager of choice to actually install after supply chain checks

what if you used npq to assess bad package health signals and vulnerabilities before you installed malware from npm...?

$ npq <package>

also works with

$ npq install <package>

which pass-through to your package manager of choice to actually install after supply chain checks

did we talk about Claude Code source code having the axios dependency in it or did it fly through everything else... just wondering if someone took a look at the actual versions in-use

is this a known coding pattern with composer-2 ?

is this a known coding pattern with composer-2 ?

it is so easily telling that this code is LLM generated


what other tells you noticed?

I know developers only pay attention to security when incidents happen but here's your chance to take some agency and proactively learn, tighten and adopt tools and techniques to avoid becoming the next victim of supply chain trauma

oh look, axios is trending on GitHub, must be a great library. brb, going to install latest version.

insane and maybe you don't really get how complicated and involved the process is if you didn't to exploit development before but this is incredibly effective and only going to accelerate

if you're not highly alert and wholeheartedly concerned yet... well, the blow is going to hurt

software to a container
ai agent to a sandbox

i do not make the rules 🙅‍♂️

software belongs in a sandbox