Mark Wolfe 🐺

New supply chain attack this time for npm axios, the most popular HTTP client library with 300M weekly downloads. Scanning my system I found a use imported from googleworkspace/cli from a few days ago when I was experimenting with gmail/gcal cli. The installed version (luckily) resolved to an unaffected 1.13.5, but the project dependency is not pinned, meaning that if I did this earlier today the code would have resolved to latest and I'd be pwned. It's possible to personally defend against these to some extent with local settings e.g. release-age constraints, or containers or etc, but I think ultimately the defaults of package management projects (pip, npm etc) have to change so that a single infection (usually luckily fairly temporary in nature due to security scanning) does not spread through users at random and at scale via unpinned dependencies. More comprehensive article: stepsecurity.io/blog/axios-com…

PRs are too slow for agentic dev, but we still need a way to control which commits get CI credentials. Today’s loop is awful: push, wait for review, poll, fix, push again. I think review + CI should produce signed attestations attached directly to commits, so trust can be established before push and CI doesn’t have to wait for a post-push approval loop. Exploring this in github.com/buildkite/git-…. Anyone interested?

@BenjDicken Yes, I have had a herman-miller for 5+ years, can certainly attest to their build quality.

@wolfeidau looks cool but build-quality seems sub-herman-miller level.

What's the best $2k office chair and why? Aeron vs Embody

@BenjDicken would love to see some benchmarks around handling jsonb in Postgres, different sizes, and accessing a subset of a document.

Benchmarking Postgres this week. What's on your wish list? I'm particularly interested in: - jit on/off - autovacuum tuning and pg_squeeze - Conn scaling (both with and w/o PgBouncer) - Comparing performance across versions 12-18 - General perf tuning

@pquerna Australia is an option :)

Screw Miami, lets all move to Hawaii.

@BenjDicken Would be even better if the picture was included 😅

@BenjDicken I still pull these TCP/IP books by Stevens out from time to time, one of my favourites on our current network stack.

Name a better tech stack

Gotta love fixing a memory leak in Go using pprof and Julia Evans fantastic post to as a refresher. Owned by the EncodeAll method in klauspost/compress 😅🤦 #golang #Development jvns.ca/blog/2017/09/2…

Observability is so important when building with AI agents. I've caught so many small issues and regressions using logs, metrics, and tracing. Unit tests are fantastic, but once you put a service into the real world, it's often death by a thousand corner cases. Here's how I set it up locally in minutes: - Spin up Prometheus + Grafana with a simple Docker Compose file. Full metrics stack running locally. - Write dev server logs to a file in your project using tee or a process manager, so you have a record of what happened. - When something feels "done", validate the changes, check your metrics, and if anything looks off raise it straight with the AI agent. And if anything does go wrong, you can use an AI agent to troubleshoot the issue, capture those corner cases, add tests, and keep your project on track. Total cheat code. 🚀 📈 #AI #development

@embirico @gpeal8 Definitely tempted to try it for open source, currently using Claude code mostly with a bit of amp

big unlock for parallelism. this took many iterations from @gpeal8 and team!

The @AmpCode team really are the fun police, as soon as you start enjoying something it is deprecated and removed. RIP so many handy features🎈💥 😞 #ai

Inspired to look into Durable Lambda Executions based on the helpful post on @depotdev depot.dev/blog/lambda-du…, looks like someone has ported the sdk to golang yesterday. 👀github.com/dgr237/aws-dur… #AWS #golang

Keen to try this out for my next presentation!

I am trying to figure out why a global flag for retention doesn't work anymore in my cache project. After a summary detailing related features, claude is like. > Additionally, --cache-ttl (default 168h) is defined in Config but never wired to anything. OK 🤦🤦 #claudecode

@sluongng Yeah this is a BIG plus, i hate how opaque claude code is, I like to understand how things work so i can learn!

@wolfeidau The code is open source so you can always look up the code to see what’s going on

Claude code has suddenly started creating memory files for my projects. They are stored under ~/.claude/projects/some_path_whatever/memory/MEMORY.md According to Claude it is "Claude Code's Auto Memory file for your specific project" #claudecode #ai

@sluongng I really need to try codex for a month, lots of interesting work going on in the project.

@wolfeidau They are copying from codex i think. It’s an opt-in on codex side and the initial runs take crazy amount of tokens

@wolfeidau the ignoredError hint is so useful, especially when you're quickly scanning AI-generated code. easy to miss those silently discarded errors otherwise. gopls keeps getting better with every release

I really like some of these inlay hints which can be enabled in gopls github.com/golang/tools/b… This is especially handy when reviewing code written by a robot, which I am doing a lot of at the moment. 😅 Found it reading the zed editor docs... #golang