Justin Bennett

Alrighty folks, I've renamed my twitter account from @zephraph to @just_be_dev. Got a placeholder for the old one.

🚨 Breaking: Trivy GitHub Actions supply chain attack – 75 out of 76 version tags compromised. If your CI/CD pipelines reference “aquasecurity/trivy-action” by version tag, you’re likely running malware right now. At Socket, we identified that an attacker force-pushed nearly every version tag in the official aquasecurity/trivy-action repository. That’s @​0.0.1 all the way through @​0.34.2. Over 10,000 GitHub workflow files reference this action. The malicious payload runs silently before the legitimate Trivy scan, so nothing looks broken. Meanwhile it’s: - Dumping runner process memory to extract secrets - Harvesting SSH keys - Exfiltrating AWS, GCP, and Azure credentials - Stealing Kubernetes service account tokens The only unaffected tag right now appears to be @​0.35.0. Socket independently detected this at 19:15 UTC and generated 182 threat feed entries tied to this campaign – all correctly classified as Backdoor, Infostealer, or Reconnaissance malware. This is the second Trivy compromise this month. Earlier in March, attackers injected code into the Aqua Trivy VS Code extension on OpenVSX to abuse local AI coding agents. The compromised tags are still active. Pin to @​0.35.0 or use a SHA reference until this is fully remediated. Full write-up: socket.dev/blog/trivy-und…

Introducing a new experiment: 𝚎𝚖𝚞𝚕𝚊𝚝𝚎 Local API emulation for CI and no-network sandboxes → No mocks → Fully stateful → Full OAuth flows → Register apps and seed data → Production-fidelity API emulation → Emulates Vercel, GitHub, Google APIs

COBE v2 is here: markers, arcs, attach any HTML elements, Infinite ideas. cobe.vercel.app

🤘 Securely execute AI-generated Node.js code without a sandbox - 17.9ms coldstarts p99 - 3.4 MB RAM - 56x cheaper than sandboxes - Built on the same tech as Cloudflare Workers - Just a library, no external vendor - Our most metal website yet

Introducing the Secure Exec SDK Secure Node.js execution without a sandbox ⚡ 17.9 ms coldstart, 3.4 MB mem, 56x cheaper 📦 Just a library – supports Node.js, Bun, & browsers 🔐 Powered by the same tech as Cloudflare Workers $ 𝚗𝚙𝚖 𝚒𝚗𝚜𝚝𝚊𝚕𝚕 𝚜𝚎𝚌𝚞𝚛𝚎-𝚎𝚡𝚎𝚌

@jarredsumner Have you checked out @TauriApps approach? They have a crate called wry that they implement cross OS webviews in: github.com/tauri-apps/wry. I use it in github.com/just-be-dev/we…. Sounds like you're doing something deeper/more custom, but it may help inform other OS impls.

it’s a real WKWebView on macOS haven’t implemented it yet on Linux or Windows. It’ll be Chrome for those, but not exactly sure how it’ll be done yet. The obvious way is CDP, but then it’s not really a WebView.

In the next version of Bun `Bun.WebView` programmatically controls a headless web browser in Bun

Soft-launching a lil' side project I've been working on! Say hello to Tablinum - a local-first database with built-in sync, collaboration and data persistence! 👇

@SlackHQ you broke my shortcut keys yo. When someone presses control you ignore all other meta keys. Please don't do that. I use ctrl+option to move windows around and now I can't do that with slack.

We're obsessed with background removal so we built another model for it. Introducing **Fibo-Edit-RMBG**: our image editing model, fine-tuned specifically for removing backgrounds. It's open. It's powerful. And it's yours to use. This is exactly why open-source matters - you can take a great model and make it exceptional for YOUR use case. [Link in comments]

Btw you can add `context: fork` to run a skill in an isolated subagent. The main context only sees the final result, not the intermediate tool calls It gets a fresh context window with CLAUDE.md + your skill as the prompt. The `agent` field even lets you set the subagent type!

@jessmartin technical difficulties, discord isn't working. DMs?

@badlogicgames Hmmmm, maybe time for me to do more with github.com/just-be-dev/we…

seriously underrated. this is immensely useful!

Built a slim lib that can be used by your agent to spawn a native web view to interact with you. github.com/hazat/glimpse Starts in <300ms and is fully js hackable. Comes with Pi extension that follows your cursor around for your agents working in the background while you surf.

Introducing Void, the Vite-native deployment platform: 🚀 Full-stack SDK ⚙️ Auto-provisioned infra (db, kv, storage, AI, crons, queues...) 🔒 End-to-end type safety 🧩 React/Vue/Svelte/Solid + Vite meta-frameworks 🌐 SSR, SSG, ISR, islands + Markdown 🤖 AI-native tooling ☁️ One-command deploys void.cloud

json-render now supports YAML as a wire format JSONL needs a full element before rendering YAML is valid at every prefix, going from element-level to property-level 💨 YAML looks like source code to LLMs And we use 3 standards they know: JSON Patch, Merge Patch, Unified diff

Introducing @𝚓𝚜𝚘𝚗-𝚛𝚎𝚗𝚍𝚎𝚛/𝚛𝚎𝚊𝚌𝚝-𝚝𝚑𝚛𝚎𝚎-𝚏𝚒𝚋𝚎𝚛 A new renderer that turns JSON specs into interactive R3F scenes Same catalog-driven approach, now for meshes, lights, models, environments, cameras, controls 19 built-in components and 12 demo scenes

Introducing 𝚑𝚒𝚝-𝚊𝚛𝚎𝚊—a collection of @tailwindcss utility classes for expanding the hit area of interactive elements. Small hit areas are a silent UX killer. One class fixes it. Distributed via @shadcn registry - see link below.

We just added /btw to Claude Code! Use it to have side chain conversations while Claude is working.

This is wild