Kind reposts

The Great Supply Chain Security Paradox: “every open source lib is getting owned! wait at least a week to patch, let other people find the supply chain breaches before you” “AI is reversing all these …

sorry i'm late, i didn't want to come

It usually only takes 1 project for an open source maintainer to learn they need to set boundaries. Unfortunately, that 1 project often becomes load bearing infrastructure before we've even realized what's happened, putting everyone in quite a predicament. @www.jvt.me.web.brid.gy #opensource

The open source world was designed for a world where there was more friction for doing things. With LLMs a lot of that friction has been removed. Sometimes that means we have to ask a potential contributor "are you a human?". @www.jvt.me.web.brid.gy #opensource #tech #llms

People are worried about AI killing open source, I'm more worried about some companies looking to enclose open source under the premise that AI is making it too risky. https://newsroom.ibm.com/2026-05-28-ibm-and-red-hat-commit-5-billion-to-redefine-the-future-of-open-source-in-the-ai-era

The best time to prune your dependency trees was 3 years ago, second best time is right now.

Heads up maintainers of packages, this is a big deal: https://github.com/orgs/community/discussions/196340

too soon

Open source maintainers at profitable companies: stop asking permission to fix what your employer already depends on. No paperwork. No programme. No manager’s blessing. Just maintain it on the clock.

It’s a sort of meme that engineers aren’t good writers. That includes software ones. And now we’re supposed to believe we can take an entire industry of not-that-good writers and transform them, in a few months, into people who’s primary job is not writing code but writing prose? lolwut

Your regular reminder that shitting on OSS on social media is a selfish thing to do. Good job sapping volunteer maintainers’ motivation in exchange for your “internet points”. Next time: try rolling up your sleeves and contribute a fix to the problem you’ve identified.

Starting with v8.0.0, Astral switched setup-uv to immutable releases with no floating v8 tags. This is good for security. But unfortunately #Dependabot and #Renovate couldn't upgrade from v7 to v8.0.0, and need a manual bump to get back on track. This is not so good for security. I posted about this on the three social networks, someone tagged @www.jvt.me@www.jvt.me and soon after Renovate now supports this! 🎉 Here's his writeup into the world of #GitHubActions tags: https://www.jvt.me/posts/2026/04/24/github-actions-tagging/

What I learnt at day 1 of the @github.com Maintainer Summit. Shower oranges.

If schools have money for AI, I'd rather they use that to pay teachers more

Tired: supply chain attack Wired: supply chain is attack

GitHub appears to have opted anyone using the CLI into sending telemetry they will use to inform product decisions. This is sneaky and should have been an opt-in decision, not opt-out. Disable it with `gh config set telemetry disabled`. cli.github.com/telemetry https://cli.github.com/telemetry

The reddit engineering team wrote a great post about how they're using Renovate for their dependency management - very interesting and some good learnings on how they keep things patched at scale! https://www.reddit.com/r/RedditEng/comments/1s1q879/dependency_hell_aka_how_i_learned_to_stop/ https://www.reddit.com/r/RedditEng/comments/1s1q879/dependency_hell_aka_how_i_learned_to_stop/?solution=4303a76c078f87374303a76c078f8737&js_challenge=1&token=bbbe4bf1c9a2b5160829c4be34da58614381ef3e0636a894f7eeb79613d86dc9&share_id=o3roxspvq4-AJyieVXsHb&utm_medium=android_app&utm_name=androidcss&utm_source=share&utm_term=1

men can’t understand what it’s like for women to see story after story after story of women being victims of sexual violence in a culture where it’s routine; what it’s like to live in a world that is fundamentally hostile to our existence. it’s a wonder we leave the fucking house, let alone thrive.

same, postgres, same

I would really like a week to pass when I don't hear that yet another friend has been laid off. The tech industry is in freefall.

"Age verification" laws are "we want to have all adults and their complete online profile in a database" laws, and that Persona, the company behind LinkedIn, Roblox, Discord ID and age verification is owned by Peter Thiel should be all you need to know.

Requested post by @sethmlarson: Package Managers Need to Cool Down https://nesbitt.io/2026/03/04/package-managers-need-to-cool-down.html

The #Renovate maintainers would like to get some speciifc feedback on a few areas - we'd love to hear from you: https://github.com/renovatebot/renovate/discussions/41414

Instead of an AI-generated hit piece, try sending your fave OSS maintainer a fun little card 💕 oss.cards https://oss.cards

me at 17: a secret conspiracy of billionaires shapes global events me at 35: class interest creates emergent outcomes and aligned behavior, but there’s no smoky room where plutocrats plot to shape global events me at 41: a secret conspiracy of billionaire perverts shapes global events [contains quote post or other embedded content]

something you learn about open source when you work on a sufficiently large project is that you *shouldn't* welcome all PRs

https://en.wikipedia.org/wiki/Prominent_individuals_mentioned_in_the_Epstein_files [contains quote post or other embedded content]

If these CAPTCHAs get any harder I'm not sure I'm going to be able to pass them 😅

Reminder that #Renovate 43 came out yesterday! We landed a few breaking changes, so check out the release notes: https://github.com/renovatebot/renovate/releases/tag/43.0.0

I'm legit unfollowing people who never use alt text. You're literally typing on a text based app. So why are you making Canva images with little pithy quips and no alt text. I honestly don't understand it.

The two hardest problems in Computer Science are 1. Human communication 2. Getting people in tech to believe that human communication is important

Did someone post something? It's on mastodon.social. It's literally on booping.synth.download. It's maybe in wetdry.world. It's literally on gts.apicrim.es. You can probably find it on app.wafrn.net. Dude it's on shrimp.starlightnet.work. It's a infosec.exchange original. Check out mas.to for it. You'll find it on hachyderm.io. It's definitely on oomfie.city. Look for it on tech.lgbt. It's over on yeen.town. You can see it on waf.moe. It's been shared on akko.wtf. Go peek at fuzzies.wtf. It's trending on transfem.social. You can catch it on eepy.moe. Browse over to lethallava.land. It's on $INSTANCE$host$. You can read it on $INSTANCE$host$. You can go to $INSTANCE$host$ and like it. Log onto $INSTANCE$host$ right now. Go to $INSTANCE$host$. Dive into $INSTANCE$host$. You can $INSTANCE$host$ it. It's on $INSTANCE$host$. $INSTANCE$host$ has it for you. $INSTANCE$host$ has it for you.

I'm sorry for what I said when I was overstimulated.

If you funded a maintainer before they created their most successful package, you have a claim on it. The Law of Surprise is underutilized in open source.

Everybody thinks 'https://' stands for 'hypertext transfer protocol secure' but it actually stands for 'head to this place, sucka' followed by a colon and two laser sounds

We've announced 6 Moderate Security Advisories, which allow for possible remote code execution, when an attacker has access to a repository's default branch More info: https://github.com/renovatebot/renovate/discussions/40403

i love the beginning of the year because everyone starts blogging. and if you (yes you) were thinking about starting, this is your sign

This week on #OpenSourceSecurity I chat with Jamie Tanna about updating open source dependencies. It's usually not as simple as "just update" and Jamie has a ton of real world experience in this working on Renovate https://opensourcesecurity.io/2025/2025-12-renovate-jamie/

it's truly amazing what LLMs can achieve. we now know it's possible to produce an html5 parsing library with nothing but the full source code of an existing html5 parsing library, all the source code of all other open source libraries ever, a meticulously maintained and extremely comprehensive test suite written by somebody else, 5 different models, a megawatt-hour of energy, a swimming pool full of water, and a month of spare time of an extremely senior engineer

Jan 1: this is the year of new Me Jan 12: [eating shredded cheese directly from the bag] new years resolutions are a bourgeois construct for disciplining bodies into productive units for capital

Please don’t go to enormous indoor events when you’re incredibly ill with a flu-like thing. Not even in a mask. Fuck sake.

day one in mamdani’s new york

Fuck you people. Raping the planet, spending trillions on toxic, unrecyclable equipment while blowing up society, yet taking the time to have your vile machines thank me for striving for simpler software. Just fuck you. Fuck you all. I can't remember the last time I was this angry.

We spent thirty years building tools to keep humans from falling into dependency hell, only to build a machine that jumps into the pit voluntarily.

It's December 23rd! Have a Merry Christmas Adam everybody! (Always comes before Christmas Eve and is generally unsatisfying.)

Saw an advert for a Trainline AI assistant thing, with a disclaimer at the bottom saying it’s AI, so might not actually be right. Why is it okay for AI to be unreliable? Why are we collectively so accepting of the idea?

Ugh! Racists need to just fuck off!

I made something new: an eslint plugin to validate your npm ecosystem lockfiles! It supports npm, pnpm, yarn, bun, and vlt, and it's already helped find a supply chain security attack vector inside a fortune 500 tech company. https://www.npmjs.com/package/eslint-plugin-lockfile

FYI: We've changed the `GOSUMDB` environment variable on the Mend-hosted Renovate Cloud infrastructure, which may lead to impact to users with private Go modules. As we've noted in https://github.com/renovatebot/renovate/discussions/40041, this is due to previously used settings leaving users open to supply chain attacks

Do you write blog posts, documentation, or anything for software engineers? Do you want to? Join us for the Writing for Developers book club with @overcommitted.dev, officially kicking off now! 🚀 Chapters 1+2 now, first discussion Friday. Join us in Discord to chat about it: discord.gg/d9gZyYuqKd https://discord.gg/d9gZyYuqKd