RDLTR

Short for Read Later. Save links from any browser or phone. Click to save, read to clear. The full tour

One topic. Every takeSeek and you shall find

Reading up on supply-chain-security

6 deep · digging since jan 02

  • news.ycombinator.com favicon
    .gitignore Isn't the only way to ignore files in Git

    The article explores alternative Git ignore mechanisms beyond .gitignore, including .gitattributes for diff suppression and local exclude files, while sparking debate on reviewing lockfile diffs.

  • gaborkoos.com favicon
    How to Evaluate an npm Package - 2026 Edition

    A practical checklist for evaluating npm packages in 2026 covering security, maintenance, provenance, CI quality, and incident response to make informed dependency decisions.

  • www.perplexity.ai favicon
    {{IW4QaZoc2}}

    Perplexity open-sources Bumblebee, a read-only scanner that checks developer machines for risky packages, extensions, and AI tool configs during supply-chain incidents.

  • nesbitt.io favicon
    GitHub Actions is the weakest link

    GitHub Actions' default features—mutable tags, pull_request_target, template injection, and write-scoped tokens—have enabled a chain of supply-chain attacks on open-source registries, and GitHub's opt-in security roadmap won't fix the root causes.

  • nesbitt.io favicon
    Package Managers Need to Cool Down

    A survey finds that while many package managers and update tools have adopted dependency cooldowns to prevent supply chain attacks, implementations vary wildly in naming, scope, and timestamp handling, and major ecosystems like Go, Maven, and Gradle still lack support.

  • nesbitt.io favicon
    Cursed Bundler: Using go get to install Ruby Gems

    Go's module proxy and transparency log can be repurposed to fetch and verify Ruby gems with better integrity guarantees than RubyGems itself.