David G. Johnson

Yeahhh (Gotta live the @patchstackapp booth at Cloudfest USA!)

Society “you’re too old” Artemis 2 Crew: “hold my beer”

A new — and entirely *not* new — attack on WordPress sites: buy commercial plugins, insert sneaky backdoors, then wait to activate them. Check your sites for these 30+ plugins. H/T: @kathyzant

“Is there a future for WordPress plugins?” 👀 @learnwithmattc took the stage at #PressConf2026 and asked the question many are thinking, but few are saying out loud. A session that challenged assumptions and opened the door for real conversation. #PressConf #WordPress #WPcommunity

Cloudflare has launched EmDash, a new CMS it's calling the "spiritual successor to WordPress," drawing swift pushback from co-founder Matt Mullenweg and much of the community. therepository.email/cloudflare-lau…

did you know, the purple in the chrome logo signifies protecting privacy?

By extension, FFmpeg is onboard too!

"Defending the remains of the indie web is not the same thing as reviving it. The thing we actually cared about, independent publishers reaching audiences on their own terms, isn’t coming back by being defended harder." @jdevalk says. joost.blog/defending-open… #opensource #openweb #indieweb

We have the authors of the EmDash project LIVE on WP Product Talk tomorrow, live from @Press__Conf . This should be an exciting and highly topical conversation you won't want to miss. Special time alert 9:30am Pacific! Tune in live to ask your own questions.

@benUNC This was a life changer at my house! The one... I... no longer live in 😭

I just crimped my first CAT6 wire and I may have unleashed an actual monster. I'm about to wire every room in this house with an ethernet port.

There are no words.

Downloading the same Google Doc as .docx, .odt., and .pdf all work as expected as well.

Hey @googledocs is there a file size limitation on the Download as Markdown functionality? Recently started getting empty (as in 0 bytes) .md files downloaded to my machine when using the "All Tabs" option for a larger (> 20MB) Docs file. "Current Tab" continues to work fine.

Maybe this is something for @AskWorkspace as this is for a Google Workspace account?

👀

@davepl1968 also ruthlessly stick to the knitting and defend the quality of the product —even to the point of being offensive about it.

How to write a great kernel: - Write a brain-dead simple kernel - Improve it a bit - Repeat for 30 years - Success!

A funny artifact of moving to the west coast of the US is that many April Fool's posts are timestamped on March 31st, which creates mild cognitive dissonance as of course by habit I check the date on ridiculous-sounding shit.

Axios Explained Let's say you’re writing a server that talks to some API. In your code, you include an authentication token so the API knows the request is coming from you. Under normal circumstances, this is completely fine. You send a request to something like api.myapp.com, Axios attaches your Authorization header, and everything behaves as expected. The problem starts when the URL you’re calling is no longer fully under your control. If your code allows a user to influence the URL, maybe through a query parameter, a form field, or some configuration, then an attacker can change where Axios sends the request. Instead of calling your trusted API, your server might end up making a request to a domain controlled by the attacker. Axios doesn’t inherently know which domains are safe and which aren’t; it just sends the request to whatever URL it’s given. If your code also attaches sensitive headers like API tokens or cookies, those get sent along for the ride. At that point, you’ve effectively handed your credentials to the attacker. There’s an even subtler version of this involving redirects. Even if your code hardcodes a “safe” URL, the server you contact can respond with a redirect (like an HTTP 302) pointing somewhere else. Axios, by default, follows redirects automatically. In some cases, it may continue sending headers like Authorization when following that redirect. If the redirect points to a malicious domain, your sensitive data can leak without you ever explicitly calling that domain in your code. This class of issue is dangerous because it turns your server into a kind of proxy that the attacker can control. It’s often categorized as server-side request forgery (SSRF), and when combined with credential leakage, it can lead to account compromise or access to internal systems. The root problem isn’t that Axios itself is broken. It’s that it behaves EXACTLY as instructed. It doesn’t enforce trust boundaries for you. If untrusted input controls the destination, or if redirects aren’t handled carefully, Axios will faithfully deliver your request (and your secrets) to wherever it gets pointed. The fix is to explicitly enforce those trust boundaries in YOUR code. Only allow requests to known, trusted domains. Validate and parse URLs before using them. Attach sensitive headers only when you’re sure the destination is allowed. And, if necessary, restrict or disable automatic redirects so you can verify where a request is actually going before continuing. The key takeaway is simple: when using Axios (or any HTTP client), you have to treat the destination URL as a security-critical input. If you don’t control it, you don’t control where your secrets go.

If you're running an agency and trying to sort out what AI is doing to your business and your clients, you're going to want to check this out

Just grabbed my ticket for the Web Agency Summit 6 this year (the biggest event in our space) - See you there?? It's free and it's always amazing! atarim.io/summit @atarim_io

Because that's what people do. They leap. And hope to God they can fly. 'Cause otherwise, we just... drop like a rock... wondering the whole way down, "Why in the HELL did I jump?"