Rob Ede

This has grown to 36 authors, all at $1 a month, which is still around 10% of my own sponsorship income. We're an ecosystem of creators and it feels right to give to the authors whose tools and lower-level crates I use.

Not enough of a difference to say that dev experience matters less.

crates.io/crates/confik docs.rs/confik

New `confik` releases today ft. support for YAML & RON sources and new `jiff` support.

@BorisJohnson Bitcoin is not a Ponzi scheme. A Ponzi requires a central operator promising returns and paying early investors with funds from later ones. Bitcoin has no issuer, no promoter, and no guaranteed return—just an open, decentralized monetary network driven by code and market demand.

As a sidenote, GitHub notification burn out is real and has largely contributed to my inactivity recently. I’ve felt a new sense of motivation at work with using these models and now in my personal projects too.

As a rite of passage, I accidentally spent way too much on Claude Sonnet and Opus before switching to OpenRouter’s auto model.

I maintain A LOT of repos and this is pretty much the first thing I’ve fully vibe coded in my personal time to help with that. github.com/robjtede/depen…

Wish someone would have told me 8 months ago when I bought this laptop that 64 GB of memory is not going to be enough to run the good local LLM coding models.

So I wanted to read Marie Kondo but accidentally bought the manga version of her book. Some mistakes are cuter than others 😸

@mkenzo_8 Worth asking why you got deprioritised on Freya’s repo tbh

@robjtede Yeah but, for example I made some releases (bumped all the workspace crates) 5 days ago and it's still in the position 12841/15428 At this pace it will take a lot of days

how come nobody is talking about the massive build queue in docs.rs ? docs.rs/releases/queue Currently its 15173 crates long. I am pretty sure it used to be much shorter

Overpaying tax last year and finding out I don’t owe anything extra this year is like finding £20 under your pillow times a hundred.

There’s no shot I got this in 3. Way more lucky than it’s claiming. Wordle 1,683 3/6 ⬛⬛⬛⬛⬛ ⬛⬛⬛⬛🟨 🟩🟩🟩🟩🟩 WordleBot Skill 81/99 Luck 44/99

Knock knock! Who's there? SURPRISE PCN FOR DRIVING THROUGH THE BLACKWALL TUNNEL! News to me that there's a charge for that now :(

Someone found an RCE on my website yesterday. CVE-2025-55182. React2Shell. I don't have a bug bounty program. I never asked for a security assessment. I woke up to a DM: "Hey I found a critical vulnerability in your site. I only ran the exploit to verify it worked. Here's my PayPal for the bounty." Bounty? I checked my logs. Forty-seven requests to my RSC endpoint. Something, something ... Prototype pollution payloads. They used the GitHub script. The one with 2,000 stars. The one that runs id automatically "for verification purposes." They spawned a shell on my production server. uid=1001(nextjs) gid=65533(nogroup) They took a screenshot. They posted it on Twitter. "Popped a Shell on a Live Website 🚀💀 #BugBounty #CVE-2025-55182 #YOLO" They got 84781 likes. My customers' data was on that server. I asked them to delete the screenshots. They said "I removed the domain name, you should be thanking me." Thanking them. For unauthorized access to my production infrastructure. For running arbitrary commands on systems I own. For posting proof of exploitation for clout. They called it "responsible disclosure." I called my lawyer. They called me "ungrateful." I called the FBI. Now they're in my DMs explaining that "this is how the industry works" and I "don't understand pen testing." A pen what? I understand it perfectly. I understand that running react2shell-ultimate.py against random websites isn't research. I understand that "I removed the identifying info" doesn't undo the unauthorized access. I understand that #BugBounty doesn't apply when there's no bounty program. I understand that finding my site on Shodan doesn't constitute authorization. Their followers are defending them now. "Presumption of innocence." "You don't know if it was authorized." "The screenshots were redacted." Three hundred people are calling me a bootlicker for reporting a crime. Someone said I should be grateful they didn't deploy a cryptominer. The bar is underground. I just wanted to run a small Next.js app. I didn't ask to be someone's proof-of-concept. I didn't consent to being their "first" I didn't sign up for an unscheduled penetration test from a stranger with a GitHub account. There is no safe harbor for spraying public exploits at random websites. There is no legal protection for "I was just verifying the vulnerability." There is no ethical framework where unauthorized prototype pollution is a favor. But sure. Thank you for your service. You found a CVE that was already public. Using a tool someone else wrote. Against a target that never authorized you. And you posted about it on main. For likes. Hero.

Fun fact: everything used TextMate’s syntax highlighting tech until tree-sitter was developed.

Then Sublime -> Atom -> VSCode as support for each waxed and waned.

Techically NP++ but really TextMate in the PHP days is where I feel like I started.

Can we say a segfault would have been identified and fixed as quickly?

New bytesize release makes it easier to get KB, GiB, etc representations. github.com/bytesize-rs/by…