@AlphaSignalAI I do have really good experience working with #openspec. 👨🏻💻
Much better structured and scoped requirements. Better outcomes. 👏
English
Danny Thuering
4.6K posts
Danny Thuering
@dannytt
🏢 CTO @webmobix 🧑🏻💻 software #developer 👨💼 #entrepreneur 📍 Jakarta 🇮🇩 📈 building @VanillaRoundApp
Jakarta Katılım Nisan 2009
4.4K Takip Edilen1.5K Takipçiler
Spec-driven development became the default AI coding architecture
67-source academic review all agreed
5 repos defining it + 1 saying they're all wrong:
spec-kit · BMAD · Open-spec · GSD · superpowers and Pocock's skills
How to choose? or should adapt a feature from each one?
AlphaSignal AI@AlphaSignalAI
English
So good to see. Just implemented it yesterday and it made my long tables snappy again. 🙏
TANSTACK@tan_stack
TanStack Virtual just got a lot faster and packs a bigger punch on iOS! 🦥 lazy items + 📸 snapshots 🧪 cross-lib benchmarks ⚡ 1382× faster resize storms 📱 iOS scroll, fixed ↩️ backward jank, gone 🎯 pixel-perfect scrollToIndex 🔗⬇️🧵
English
Upgraded to pnpm 11 in April mostly for monorepo ergonomics.
Turns out 3 default settings quietly protected me from the TanStack supply chain attack that hit today:
• minimumReleaseAge — 24h quarantine on new packages
• blockExoticSubdeps — blocks git-based dependency injection
• allowBuilds — lifecycle scripts off unless you opt in
Right defaults > right intentions 🔒
dthuering.com/posts/why-i-am…
#nodejs #pnpm #supplychain #security #javascript
English
Firm believer that all delete confirmations that require name of the resource should include a copy button!
English
You don't need to merge a PR to poison a CI cache.
Just open one.
pull_request_target runs in your main repo context — meaning a random contributor's PR can write to your shared build cache before anyone reviews a single line.
Here's how it works and how to fix it
dthuering.com/posts/pull_req…
#GitHub #GitHubActions #DevSecOps #SupplyChainSecurity #CI #TanStack #DevOps #InfoSec
English
Danny Thuering retweetledi
TL;DR for open-source maintainers
🚫 NEVER use "pull_request_target" workflows
🚫 NEVER use shared caches in your publish pipeline
Combining these 2 in particular is extremely dangerous
I've repeated this countless times over the years, but another reminder is always useful
TANSTACK@tan_stack
SECURITY ADVISORY — TanStack npm packages A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package. Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down. Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys. If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised: • Rotate cloud, GitHub, and SSH credentials immediately • Audit cloud audit logs for the last several hours • Pin to a prior known-good version and reinstall from a clean lockfile Detection — the malicious manifest contains: "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49ee..." } Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root). Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level. Full technical breakdown, complete package and version list, and rolling status updates: github.com/TanStack/route… Credit to the security researcher for responsible disclosure.
English
@JinjingLiang Which is already the default when you use pnpm 11.
English
Easiest way to protect yourself:
1. Use pnpm
2. Set a minimum-release-age
TANSTACK@tan_stack
SECURITY ADVISORY — TanStack npm packages A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package. Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down. Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys. If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised: • Rotate cloud, GitHub, and SSH credentials immediately • Audit cloud audit logs for the last several hours • Pin to a prior known-good version and reinstall from a clean lockfile Detection — the malicious manifest contains: "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49ee..." } Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root). Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level. Full technical breakdown, complete package and version list, and rolling status updates: github.com/TanStack/route… Credit to the security researcher for responsible disclosure.
English
I don't get the mongodb hype
Replaceable with 12 lines of js
English
git worktrees are fun and all, until you have 3563 instances of node_modules
English
@boyney123 Oh it is. 👍 we are building something for requirements and it is really cool.
English
The TipTap editor is so much fun to play with!
It can provide so much flexibility. Here I'm creating custom slash commands for mermaid and node diagrams for users, so they can embed them directly into their docs. Combine this with MDX and it feels like super powers!
This editor will focus on software architecture primitives and let you document your architecture on @event_catalog and publish them too.
English
@_ashleypeacock Got this today as well from Ghosty when trying to run a pnpm command in the wrong folder.
English
@alvinsng @FactoryAI Unfortunately, they do not provide 5.1 yet. 😞
English
@alvinsng @FactoryAI I am still on GLM-5 with my Alibaba Code plan and happy with it. 👨🏻💻
English
It’s hard to believe, but I’ve just switched my default model to GLM-5.1. I work at @FactoryAI and have unlimited tokens for any model, yet I still chose this one. I was on Opus forever, but I tried this and haven't gone back.
My work consists mostly of quick fixes or mass refactors. It’s fast and it gets me. No running long discoveries or extra validations unless they are obviously needed.
3 days. 7 PRs. All on GLM-5.1.
English
@thdxr Interesting to see GLM so low and Kimi up. Have to test Kimi tomorrow.
English
Design systems aren't just for big teams anymore!
Solopreneurs and small teams can now build consistent, beautiful products without the overhead. The key? Modern tools that automate the heavy lifting.
Instead of managing hundreds of design tokens manually, you can use AI-powered tools to generate, maintain, and sync your entire design system across platforms.
The result: More time building features your users love, less time wrestling with CSS variables and color palettes.
Anyone can do this now 👏🏼
English