Валяй

None of this is specific to astro-iubenda. That is the point. If someone installs it in production, the supply chain risk remains real. Most of this is just config.

Sixth: no dependency-managed postinstall hook setup. I removed simple-git-hooks postinstall behavior and switched to native git hooks: .githooks pnpm prepare-hooks Less install-time magic. More explicit repo config.

Small open-source npm package? Same supply-chain risk. I’ve just updated astro-iubenda, a small Astro integration for using @iubenda in @astrodotbuild projects: github.com/Valyay/astro-i… Here are 6 supply-chain hardening techniques I added to the repo:

@henrytdowling Mostly worried that sensitive context could get stored in git and pushed somewhere, like prompts, secrets or client context. Also feels like one more layer I’d need to watch

@_valyay_ what are you concerned about? like the repo getting leaked?

We already have memory for AI coding agents. It’s called git. And many teams are filling it with garbage: fix bug update styles refactor component

@henrytdowling It looks interesting, but I have safety concerns, so I wouldn't use it

@_valyay_ what do you think about entire.io?

But now the developer from the future is often a coding agent. Stop giving AI agents broken memory.

When coding agents use that memory as context, better memory leads to better reasoning. We used to say: write commit messages for the human developer from the future. That is still true.