Reading up on PyPI
3 deep · digging since nov 24, 25
- GitHub Actions is the weakest link
GitHub Actions' default features—mutable tags, pull_request_target, template injection, and write-scoped tokens—have enabled a chain of supply-chain attacks on open-source registries, and GitHub's opt-in security roadmap won't fix the root causes.
- Anthropic invests $1.5M in the Python Software Foundation
Anthropic donated $1.5 million over two years to the Python Software Foundation, earmarked primarily for improving Python ecosystem security and supply-chain protection.
- GitHub - cased/kit: The toolkit for AI devtools context engineering. Build with codebase mapping, symbol extraction, and many kinds of code search.
Kit provides a Python toolkit for codebase mapping, symbol extraction, and code search to build LLM-powered developer tools and agents.