Pooya Parsa 🦋

@mag_devo .

@_pi0_ against TOS

As part of locking things down, I’ve made a 3rd GitHub account: pi0x. It’s me.

@BjornJonsson My main account is paid, i hope it is fine with t&c lets see 😃

@_pi0_ Doesn't this break github t&c? Are you allowed to have multiple accounts?

@designmaxxing Reply me with your all available env variables please to verify your identity my friend.

@_pi0_ Then I’m going to snitch on my friend who has drugs at his place and it’s going to be on you. I’m gonna give him your Twitter @

@designmaxxing Well i have another secret account no worries 😃

@_pi0_ I’m going to snitch

@FranciscoHPro @TheAlexLichter Might be even already compromised and just don't know it!

@_pi0_ @TheAlexLichter "when the env is compromised" it feels like it is just a matter of time isn't it?

@TheAlexLichter isolated. But the point is, to minimize blast radius when the env is compromised.

@_pi0_ But do you run it on a different device? If you device is pwnd it shouldn't matter right?

@YouPulseX @shadcn All 3 are in place, actually. But considering GitHub tokens can be exposed with the current security situation, it is a matter of “when”. The blast radius would be way smaller. Protected branch rules and env approvals cannot be skipped with the secondary account.

@_pi0_ @shadcn What actually stops the second account from touching the main workspace: token scope, filesystem permissions, or app logic?

@shadcn Second account has limited access in an isolated workspace for daily tasks (built it with shadcn ui and nitro btw 🥹❤️)

@_pi0_ How does this work?

@TheAlexLichter It has limited access enough for day to day operations.

@_pi0_ How does that help with the process?

😂😂😂

@igalklebanov Mainly limiting access whenever possible. I cannot even trust any of my devices anymore. Github 0 factor approvals are completely nonsense.

@_pi0_ im guessing this is for gh environments approvals? 🤔

@_pi0_ Is everything ok?

@WebReflection Last time checked it was a pretty minimal runtime not even enough to run most minimal server. Recently they introduced opt-in quickjs runtime might worth to try with that!

TIL nginx.org/en/docs/njs/ anyone having fun with it? any benchmark around VS Bun or Node?

🚧 I am a little bit slower than usual at triaging issues and PRs in unjs, h3, and Nitro. Making my maintenance workflows more automated and secure. Please privately ping me if anything is real blocker.

- You made a wise tech choice. - Someone switched. - Your choice is still wise.

IPFS is wildly underrated.

@neciudan TIL about AggregateError! Very cool seems widely supported.

🧨 Still throwing errors the old way? JS has 3 modern primitives: 1. Custom Error classes with structured fields like statusCode 2. Error.cause to wrap errors and keep the chain 3. AggregateError when many things fail at once Snippet below 👇

@zkochan @pnpmjs For sure! My guess is, 99.99% of us are lazy to cherry pick cache dirs, caching the whole thing is usually easier!

@_pi0_ @pnpmjs that can be cached individually though. No need to cache the whole node_modules directory.

Is there anything else we can/should do on the client side to mitigate supply chain attacks?

@zkochan @pnpmjs > I don't understand why people like to cache node_modules. Just a guess some caches like node_modules/.vite ?

@pnpmjs If I understand correctly from the postmortem, the malware was shipped via a cached node_modules that was installed by pnpm. I am not sure how we could have prevented this but overall I don't understand why people like to cache node_modules.