Tag
Collider 1.3.0 adds path traversal protection for repository indices and strips bearer tokens on cross-origin redirects to prevent security vulnerabilities.
Cross Repo Review is a tool that maps inter-repo dependencies and surfaces downstream impacts, breaking changes, and blast radius on PRs, tracking code, service, data, and pipeline dependencies.
Google Devs presents a CI pipeline challenge where a dependency change made the build faster but broke production, prompting a debugging puzzle.
A blog post advocating for package managers to support global hooks as a more secure and flexible alternative to current package security measures like registries or shell wrappers.
ty-pre-commit is a new tool that simplifies pre-commit hooks for type checkers by automatically installing dependencies using uv.
Bundler 4.0.13 introduces a cooldown feature that blocks resolution to gems published less than N days ago, mitigating supply-chain attacks. It is opt-in and configurable per source, setting, or command-line flag.
Ohbin is a Python tool that acts as a uv wrapper for installing GitHub release binaries directly into a project, eliminating the need for hand-rolled wrapper packages. It automates download, SHA256 verification, caching, and execution via a simple declarative configuration in pyproject.toml.
CRow is a new open-source build system and dependency manager for C/C++ that mimics the simplicity of Rust's Cargo.
Developer shares experience switching Python projects from uv to PDM, highlighting PDM’s pure-Python codebase, new 2.26.8 release with relative-time dependency cooldown, and enhanced project-management features.
A practical guide to securing Python supply chains through layered defenses including linting with Ruff, dependency pinning with hashes, vulnerability scanning with pip-audit, SBOM generation, and Trusted Publishing with OIDC attestations.