Jake Ginnivan

It's been a while in the making but FeatureBoard and @CoreyGinnivan gives a good overview of why we are different to many existing products We are really keen to get a few partner organisations on board for feedback in exchange we will be helping you get the most out of it.

🚨 Breaking: Trivy GitHub Actions supply chain attack – 75 out of 76 version tags compromised. If your CI/CD pipelines reference “aquasecurity/trivy-action” by version tag, you’re likely running malware right now. At Socket, we identified that an attacker force-pushed nearly every version tag in the official aquasecurity/trivy-action repository. That’s @​0.0.1 all the way through @​0.34.2. Over 10,000 GitHub workflow files reference this action. The malicious payload runs silently before the legitimate Trivy scan, so nothing looks broken. Meanwhile it’s: - Dumping runner process memory to extract secrets - Harvesting SSH keys - Exfiltrating AWS, GCP, and Azure credentials - Stealing Kubernetes service account tokens The only unaffected tag right now appears to be @​0.35.0. Socket independently detected this at 19:15 UTC and generated 182 threat feed entries tied to this campaign – all correctly classified as Backdoor, Infostealer, or Reconnaissance malware. This is the second Trivy compromise this month. Earlier in March, attackers injected code into the Aqua Trivy VS Code extension on OpenVSX to abuse local AI coding agents. The compromised tags are still active. Pin to @​0.35.0 or use a SHA reference until this is fully remediated. Full write-up: socket.dev/blog/trivy-und…

Today, @nodejs published a security release for Node.js that fixes a critical bug affecting virtually every production Node.js app. If you use React Server Components, Next.js, or ANY APM tool (Datadog, New Relic, OpenTelemetry), your app could be vulnerable to DoS attacks. 👇

@samselikoff @housecor @tannerlinsley The post says “this is how you get”, the point of this post/tweet is to try warn away from this. Some people don’t have the experience to see what the longer term consequences are for their design choices, or they haven’t considered it as they are solving a problem

Well, you’re responsible for what you share! Those are given as examples in a thought experiment of how directives *could* lead to vendor-specific implementations. But all of the open-source libs using directives today have done exactly the opposite, making sure to draw boundaries that give all users the maximum power without any provider lock-in. It’s fine to debate technical trade-offs but no need to spread FUD on account of a lazy pull-quote.

Custom directives are getting out of control. 'use server' 'use client' 'use cache' 'use cache:remote' 'use workflow' 'use streaming' 'use edge' 'use strict' is a JS directive. The stuff above isn't. That's a problem. More: tanstack.com/blog/directive…

@Aaronontheweb I treat patterns as communication tools, so if you have problems you apply patterns to solve, when you explain / document your solutions it’s so much easier Patterns fall down when they are applied without a problem / cargo culted / dogmatic use

Biggest reason it's so hard to push back against Clean Coder complexity is that none of the "simpler" alternatives have any memetic independence: - Recognizable names - Clear benefits - Easy to distinguish from and not be sublimated into "Clean Code"-ism - Distinct patterns

@grizzly_codes Btw, using v1 has been great so far. Love the direction

@JakeGinnivan Thanks you very much for your help <3

@grizzly_codes I'm giving the v1 branch of Park UI a spin, I've opened 2 small PRs so far. Would it be helpful for me to keep opening small things when I find them? I've also got a bit further than the presets of a theme folder if sharing that would be helpful

@grizzly_codes And I even managed to spell width wrong on the first one 😅

@grizzly_codes Hope to do a bit more soon, was not a lot :)

@karrisaarinen Yeah.. I just put a dust plug into mine now because you can’t clean them effectively. My last phone I couldn’t even plug in anymore due to compressed lint.

Wish we could go back to the lightning port. USB-C is too big and harder to clean from lint.

@JLarky There is one reason, shipping desktop or self hostable software. You need the structure to be able to effectively patch and work across multiple versions at a time

I'm convinced that gitflow is a psyop and no one ever done that in practice because it takes like 30 seconds of thinking before you realize this is completely unfeasible and a huge waste of everyone's time

Anyone got a comet invite code I could use? :)

@troyhunt @supawiz6991 The WAF comment was more, the minified JS came out in just a way to trigger a WAF rule. Could be a similar thing triggering the chrome bug, something in the build, like an optimisation or something. Bit of a stretch though

@JakeGinnivan @supawiz6991 Thing is it seems to be different machines with different owners in different locations too, so network screwiness is unlikely. Has to be something on the client, surely.

Anyone else having trouble loading @haveibeenpwned on a Chromebook? See the thread, feedback for @PeterVogel would be appreciated.

@troyhunt @supawiz6991 Agreed, gut feel is something is triggering a bug in chrome on those old clients causing the tab crash. Maybe someone can send crash reports

@troyhunt @supawiz6991 We once had a prod incident for 7News where our WAF blocked a JS file because the minified JS from our build matched a rule for something.. so who knows :p but yeah, not loading the whole page, pretty odd. Not a fun one to be sure

@JakeGinnivan @supawiz6991 Made one small JS change recently, but I mean *really* small. Shouldn’t cause the whole page not to load (but I’ll investigate that anyway).

@troyhunt @supawiz6991 Looking at the thread with the screenshots, I don’t think it’s a transport/cloudflare issue now. Another idea is the JavaScript on the page, do you build/mangle it? Or web workers/service workers on the new site? Something must be triggering a bug in chrome on Chromebook

@supawiz6991 @JakeGinnivan Edge cache TTL is already an hour so it’s done it many times since your message, plus I’d really like to understand why the same cached version works fine on every other browser but doesn’t even begin to render on Chromium

@troyhunt My guess is outdated root CA list as Azure relies on newer authorities. I’ve seen the issue on ruggedised devices running older Android versions and had to work around with own certs scotthelme.co.uk/should-clients… seems to be a post on the issue

Feedback seems to be this is consistently occurring across Chromebooks. Can anyone identify the cause? It doesn’t seem to affect any other OS.

@headinthebox Linear is one of the few I have really enjoyed using. It’s just a joy to use and track what you are doing

Are there developers that actually use products like linear.app/features, or this just fluff to keep managers busy?

@mjackson @debs_obrien The issue is it’s the .toBe which gets retired if it fails. await page.waitFor(() => page.getTitle()).toBe(title) Maybe something like this.

Instead of page.getTitle() you could name it something very explicit that encapsulates the retry logic, like expect(await page.waitForTitle()).toBe(title) The main point is to move the `await` *inside* the expect() arg instead of using an “async matcher”. That’s the source of the problem IMHO.

The amount of people who forget to write awaits on their expects when writing Playwright assertions is 🤦‍♀️. How can we fix this? So many hours lost….

@debs_obrien This is one of the main reasons I pay the cost of eslint with types. No dangling promises catches this for me

@mjackson @debs_obrien Agree with overloading expect and expectations, challenge is the auto retry until it matches semantics which awaiting to get the title then asserting would cause issues on.

The API is practically baiting people to make this mistake. For starters, Playwright departs from the normal expect() API style that everyone is used to. If you look at any other expect() API in JS (mocha, Jest, Vitest, etc.) you don’t have to `await` any of them. So PW takes an API that people are familiar with from elsewhere and changes the semantics. In addition, the expect() API in PW isn’t consistent, so it’s difficult to remember which assertions require `await` and which ones don’t. The fact that “generic matchers” and “async matchers” may both be attached to the same top-level expect() call means that folks who aren’t familiar with the library will have to consult the docs in order to figure it out. This may even be a bigger issue than #1. This is huge. To fix, find another way entirely to write these async assertions. Eg instead of `await expect(page).toHaveTitle(title)` Make the async part really obvious here, like `expect(await page.getTitle()).toBe(title)` Just ditch the async matchers entirely and use the regular matchers with regular old `await` for the actual values you need in your assertion. In this scenario, if someone forgets the `await` and writes `expect(page.getTitle()).toBe(title)` The test will immediately fail and they’ll see why; they’re expecting a Promise to be a string value. This is far preferable to the test succeeding and giving you a false positive because you forgot to await your expect(). One nice bonus here is that you trim way down on the number of matchers you actually need to ship in the library. Less API is always nice. That’s my 2 cents, anyway 😅