great to see some signs of life but I hope they take the much needed security improvements more serious. Very obvious contrast issues with code blocks in readme and deprecation notices don't really instill trust in the review process.
German bureaucrats might know how to spell digital sovereignty, but they still don’t understand what it entails.
this!
also available as text version:
www.terrygodier.com/the-last-qui...
It's di.day again next Sunday.
If you are still using instagram, time to leave.
You may have heard me being critical of vibe coding.
But with Anthropic finally open sourcing claude code cli, i wasted no time to dive into it and build you the svelte vibe coding tool you deserve:
`npx svibe`
happy svibing!
The signature would include their repo, so this change in the signature can be detected. @danielroe.dev has something that does it already and maybe it can be added to @npmx.dev
If an attacker gains full access to an npm account with publishing/settings access, they can update its configuration to point at their own fork of a repo, update the trusted publisher settings to use that repo and publish, a malicious version with a valid trusted publisher signature, yes. But ...
@npmx.dev also has a builtin diff viewer that even includes a dependency change summary:
npmx.dev/diff/axios/v...
Hey @github.com, maybe you want to clear that up on your own site/blog and also clarify what your stance on these "suggestions" is for the future?
> this was surfaced more frequently than intended alongside other feature suggestions
My preferred frequency is 0, thanks.
You can (and should) limit which actions are allowed to be run in your repo github.com/<your-repo>/settings/actions or even org wide: github.com/organizations/<your-org>/settings/actions
Unfortunately it is set to insecurely allow all by default.
While you are there, also enforce pinning to a hash
:eyes: rooting for you.
Are you also discussing about privacy?
Not only in terms of direct messages/private chat groups but also for public messages, how we will be able to control who has access to display them and an ability to remove/revoke that later?
Nah, it's not. They are showing everyone the finger by putting this opt-out thing there so they have an excuse to point to. And that's assuming they actually implemented it rather than just pretending, just like they are actually deleting your data on request ;)
How effective is that setting if someone forks your repo, quotes your comments etc?
Really not liking what github has become. With all the ai pushing and ui inconsistencies it doesn't feel like home anymore.
Going to use others in the future, tangled.org, codeberg.org or self-hosted forgejo
A balance chart for babel and webpack with their last balance on 27 Mar 2026 being USD 152,522 and USD 93,005 respectively
Made a site to compare projects on Open Collective. Some are managing funds really well while others are burning through quite a bit. octrends.bjornlu.com
screenshot of the deployment screen on Vercel showing build times dropping from a consistent 4-4.5 minutes before Vite 8 and 2.5 minutes or less after.
Just remembered to check my #sveltekit build times on Vercel after updating to #Vite8. Thanks @voidzero.dev @dominikg.dev
This goes both ways for me. The amount of automated comments on PRs is getting out of hand.
A a single line "click here to open the preview deployment" comment is nice, but multiple by llm tools competing for attention, with ad links and multiple collapsed detail blocks? damn
Screenshot from fightchatcontrol with a template to write to MPs
🚨No Joke: Conservatives in the EU Parliament (EVP) want the vote on #ChatControl 1.0 to be repeated this Thursday - even though the Parliament already voted NO! 😡
Make sure your MP stays strong. Contact them now!
👉 fightchatcontrol.eu#contact-tool
TIL, thats great!
I would prefer that was the default on duckduckgo.com with ai features opt-in on ai.duckduckgo.com
You can also customize your settings on duckduckgo.com/settings , show the bookmarklet and use that in your browsers search engine setting instead.
while it's great that it can be self-hosted, it doesn't solve the issue with search engines manipulating their results, it is a meta search, so no indexing on its own (you don't want to self-host that either way).
happy duckduckgo.com user here, but I wish it was easier to evade their ai stuff.
hacking away at a new @npmx.dev feature of course 👀
Join the Vite ecosystem tomorrow to celebrate the Vite Team 5th Anniversary by rewatching together the Vite Documentary! Let's remember the stories of the people who connected to extend together our shared commons. And stay at 3:45 PM UTC to participate in the live stage after the movie 💜
Now that I've got my rant about tsconfig paths out of the way, let's talk about all the great things.
What's your favorite thing about vite8?
Mine is the internal restructure. You'll hardly notice it right now and just say soo fast!! But future us are going to be soo happy for all it unlocks.
The other way around is what I'd do. Use a vite plugin to emit a tsconfig.vitepaths.json and extend your app config from that.
SvelteKit does sth similar with it's own config.kit.alias setting already
opt-in for very good reasons. In my opinion it should not be used/widely adopted.
resolve is a dark art already and tsconfig paths as additional source of truth is going to make that so much worse.
Not to mention ts6 is changing baseUrl semantics.
⚡️ Vite 8.0 is here!
The most significant architectural change since Vite 2.
⏬ Powered by @rolldown.rs bringing faster production builds and more consistency
🛤️ New features such as tsconfig paths and emitDecoratorMetadata support
vite.dev/blog/announc...
Open Collective has started using Persona as their verification provider
Our team member will not be using Persona to verify their identity, privacy is important, That's why we are closing our Open Collective account (and GitHub Sponsors)
You can still donate to us through Ko-Fi:
ko-fi.com/scan
Do you happen to know if anisota or blacksky are open source?
Found github.com/spuithori/to...
and tangled.org/jollywhopper...
As you know, one of the most underrated yet highly scalable (and therefore dangerous) attacks is a supply chain attack, when you can get attacked from node_modules.
pnpm has the most advanced protection.
They’ve just published an article with guidelines:
pnpm.io/supply-chain...
GrapheneOS is a good choice if you want to degoogle your phone.
One caveat is that you currently have to use a google pixel phone to use it. Starting 2027, you can also buy a motorola phone instead.
