Yeah, I think my single biggest regret from that post is using Dependabot for the example; their cooldown feature is way buggier than I realized (and that’s only being shaken out now that people are using it more). Longer term I think each packaging ecosystem is implementing this directly

Brocards for vulnerability triage
blog.yossarian.net/2026/04/11/Brocards-for-...
#security #oss

Open source security at Astral Insights and guidance from our engineering team on how Astral secures its tools.

the last two weeks have been ~exciting~ in terms of open source security! I've put together a post on Astral's blog about how we think about open source security:

astral.sh/blog/open-so...

Just cut a new release of `pypi-publish` v1.14.0!

It's now verbose by default and prints out hashes. You can opt-out, though.

The rest is internal updates, housekeeping, docs.

github.com/pypa/gh-acti... / github.com/pypa/gh-acti...

#python #Packaging

have you seen the new supply chain vuln? don't update tubu. it's literally on heebee. they got poodee's deps. they infiltrated dippy. roll back weeno. disable scripts in ~/.gumpyrc. it's in poob. do not install poob. do not update poob. uninstall poob right now. poob has it in for you.

TIL: Rust has safe uninitialized bindings

yossarian.net/til/post/rus...

absolut etrog limited edition

I also agree that there are potentially better ways to *structure* this kind of dependency awareness, but a public registry + consensus mechanism requires people to commit to building and operating those things, which isn't trivial! That's something I think needs future work, though

Dependency cooldowns, redux

those are good questions that a lot of people had! I covered them in some detail in a follow-up here:

blog.yossarian.net/2025/12/13/c...

TL;DR yes, the assumption is that security scanners provide more value than users incidentally tripping over malware, i.e. universalization is not a concern

thank you, fixed!

Some flexibility with Go’s sumdb
blog.yossarian.net/2025/12/29/Some-flexibil...
#security #go #cryptography

At the gpg.fail talk and omg #39c3

You can just put a \0 in the Hash: header and then newlines and inject text in a cleartext message.

Won’t even blame PGP here. C is unsafe at any speed.

gpg has not fixed it yet.

TIL: serde's borrowing can be treacherous

yossarian.net/til/post/ser...

ty: An extremely fast Python type checker and language server ty is an extremely fast Python type checker and language server, written in Rust, and designed as an alternative to mypy, Pyright, and Pylance.

so pumped for the ty beta to finally be here, we did so much great work it rules! astral.sh/blog/ty

Dependency cooldowns, redux
https://blog.yossarian.net/2025/12/13/cooldowns-redux
#security #oss

I've been SHA-1 pinning ever since I started using GitHub Actions, but I didn't think of transitive (compound) actions, which can use unpinned sub-actions. This is fine 🔥🐶☕🔥

Time to setup zizmor.sh by @yossarian.net for automated scanning, I've had it in my "tools to try" list for a bit.

Join us in “Trailblazing Python Security” at PyCon US 2026 PyCon US 2026 is coming to Long Beach, California ! PyCon US is the premiere conference for the Python programming language in North Americ...

ICYMI, we want your #security talks at #PyConUS 🤩 CFP closes December 19th

#python #supplychain #opensource #oss

pycon.blogspot.com/2025/11/trai...

thanks for the kind words!

zizmor - Static Analysis for GitHub Actions Find and fix potential vulnerabilities in your GitHub workflows and action definitions with zizmor's powerful static analysis.

I'm a big fan of zizmor.sh by
@yossarian.net to provide static analysis of GitHub Actions workflows as I'm working on them. The remediation advice is also top notch, for `pull_request_target` as an example: docs.zizmor.sh/audits/#dang...

PyPI and Shai-Hulud: Staying Secure Amid Emerging Threats - The Python Package Index Blog Shai-Hulud is a great worm, not yet a snake. Attack on npm ecosystem may have implications for PyPI.

There's a nasty #OpenSource #SupplyChain worm going around named Shai-Hulud. It's also capable of exposing some projects' long-lived PyPI API Tokens. Read more on what's happening, and what you can do to protect your projects.

TL,DR: Adopt Trusted Publishing 🔐🚀📦

blog.pypi.org/posts/2025-1...

that would be so awesome!

We should all be using dependency cooldowns
blog.yossarian.net/2025/11/21/We-should-all...
#security #oss

TIL: Safari has built-in WebDriver support

yossarian.net/til/post/saf...

All the world's developers are a toddler and X.509 is the neighbor's unfenced pool.

Dear GitHub: no YAML anchors, please
blog.yossarian.net/2025/09/22/dear-github-n...
#programming #rant

Having met with both sides on the current RubyCentral/RubyGems situation, here's my take:

- RubyCentral have managed this exceptionally poorly in many ways including removing literally the most active member of the RubyGems organisation by mistake who has declined to return

maslow’s hierarchy of needs? yeah, I think I’ve heard of that somewhere before

One year of zizmor
blog.yossarian.net/2025/09/14/one-year-of-z...
#devblog #programming #rust #zizmor

finally learned what a "labubu" is from my local bodega. very helpful

Release v1.13.0 · pypa/gh-action-pypi-publish Take the 2025 Python Packaging Survey if you still haven't! Important🚨 This release includes fixes for GHSA-vxmw-7h4f-hqxh discovered by @woodruffw💰. We've also integrated Zizmor to catch similar i...

Just cut a new release of `pypi-publish` v1.13.0!

It's got internal runtime update, housekeeping, also diagnostic messages and security improvements from @yossarian.net!

github.com/pypa/gh-acti... / github.com/pypa/gh-acti...

#python #Packaging