unicolet.org

After the recent npm attacks  there have been many recommendations to leverage dependency cooldown as an additional mitigating factor. Dependency cooldown works by instructing the package manager to ignore releases that are younger than a certain threshold. The reasoning is that a vulnerable package will eventually be detected (and removed) in less time than the threshold, therefore preventing the attack. This, combined with dependency pinning (including transitive dependencies!), is a very powerful tool, but introduces an issue for anyone using internal dependencies. For those the cooldown will have the undesired side-effect of blocking internal dependency updates which might contain urgent fixes. I haven't checked all package managers, but I did check some of the most popular languages. Also, cooldown is not supported everywhere and sometimes is supported with noteworthy exceptions. Nodejs Use or switch to pnpm and use a combination of minimumR...

Thoughtworks just published volume 33 of their Technology Radar . I found some interesting gems in it that I thought were worthwhile re-sharing: LiteLLM : I've been playing around with it to share AWS Bedrock models over a local, OpenAI-compatible API and I am impressed with the breadth of features (for example budgeting). The AI ecosystem is vibrant and flourishing. Continuous Compliance : so happy to see this mentioned! Personally I would expand the term to include other compliance tools like Vanta and I am convinced that this kind of automation and software will be essential for organizations to scale while meeting increasing regulatory demands. AGENTS.md : as someone who reads Simon's Willison blog, this is no surprise and a welcome confirmation (another file to watch out for:  CLAUDE.md ). Oxide : I wrote this post almost exclusively to mention Oxide 😅, a company I admire. Whenever people ask me about my cloud exit strategy, my answer is: Oxide. Here's why .

Excellent insight on conterfactuals in the context of (some of) the analysis of that latest AWS outage (emphasis mine): Counterfactuals are seductive. They tidy up messy stories . “If only we’d done X.” “If only they’d noticed Y.” They sound analytical, but they’re fictional . As the saying goes, “If my grandmother had wheels, she’d be a bicycle.” Once we start changing the facts, we’re not talking about reality anymore: we’re imagining a different one that didn’t happen. It’s easy to laugh at Joey, but we all do it. Just look at all the hot takes on the large AWS outage this week. We look back at a failed project, a near miss, an incident or accident, and feel the seductive pull of “they should have..” or “they shouldn’t have…” because we crave causality and coherence. When something goes wrong, we want to believe that there was a single point of failure that we can fix for next time, reassuring ourselves that it won’t happen again. But as Dekker reminds us,  “…[counterfactuals] ...

The advice I like to give anybody who’ll listen to me, is not to wait around for inspiration. Inspiration is for amateurs; the rest of us just show up and get to work . Chuck Close -  via Farnam Street  - emphasis mine I saw Mark at MOMA a while back and was blown away by the superhuman attention to detail

I feel that terms like full stack developer and generalist ran out of steam and don't capture the attention they should IMO, enter versatile . I came across it while listening to  Scaling Manufacturing  and, surely enough, when I went to check Oxide Principles , Versatility is listed under Values:  Versatility: while we must naturally specialize, our bold mission also demands that any of us may need to apply ourselves in a new domain – and indeed, that many of us will be doing this much of the time.

Businesses cannot remove developers without losing the understanding needed to build and maintain software. Tools like outsourcing, no-code, or AI can speed work but cannot replace comprehension. Design platforms and practices that amplify developers' context and collaboration instead of trying to eliminate them. Source -  via LinkedIn Reminds me of  Enough AI copilots! We need AI HUDs