Clara Leigh
@clara42.bsky.social
Laravel, VueJS, Cyber Security 🌈
Have they finally got the DB driver working well again?!? I’ll have to check it out
I remember checking in 2 years ago with the mongo team and it was not quite ready for production usage, but it worked in some areas
I remember checking in 2 years ago with the mongo team and it was not quite ready for production usage, but it worked in some areas
November 14, 2025 at 10:05 AM
Have they finally got the DB driver working well again?!? I’ll have to check it out
I remember checking in 2 years ago with the mongo team and it was not quite ready for production usage, but it worked in some areas
I remember checking in 2 years ago with the mongo team and it was not quite ready for production usage, but it worked in some areas
Yeah fr. In my paper I compare it to the CD/USB autorun drama of the 00s. Except instead of just inserting 1 device, we pull in 10,000 from the internet and assume it’s all gucci
November 5, 2025 at 9:52 PM
Yeah fr. In my paper I compare it to the CD/USB autorun drama of the 00s. Except instead of just inserting 1 device, we pull in 10,000 from the internet and assume it’s all gucci
The first step is tackling npm autorun. Explicit approval for any post install/update script with insights
Next would be SBOMs with behaviour attached. And notices when deps grow, scripts change etc. and a move away from the habit of using deps for tiny tasks. + much more. I could rant for a while
Next would be SBOMs with behaviour attached. And notices when deps grow, scripts change etc. and a move away from the habit of using deps for tiny tasks. + much more. I could rant for a while
November 4, 2025 at 11:55 PM
The first step is tackling npm autorun. Explicit approval for any post install/update script with insights
Next would be SBOMs with behaviour attached. And notices when deps grow, scripts change etc. and a move away from the habit of using deps for tiny tasks. + much more. I could rant for a while
Next would be SBOMs with behaviour attached. And notices when deps grow, scripts change etc. and a move away from the habit of using deps for tiny tasks. + much more. I could rant for a while
In npm world it’s a little tricky rn. Personally I don’t update a pkg until it’s 2-3 wks old (unless it’s a security patch). This gives community run static/dynamic analysis tools time to find and flag things. There are SBOM tools that help too
The real solution would require community change… 1/2
The real solution would require community change… 1/2
November 4, 2025 at 11:55 PM
In npm world it’s a little tricky rn. Personally I don’t update a pkg until it’s 2-3 wks old (unless it’s a security patch). This gives community run static/dynamic analysis tools time to find and flag things. There are SBOM tools that help too
The real solution would require community change… 1/2
The real solution would require community change… 1/2
I knew the good talks with China could only last so long. Guessing it’s a proxy war sorta thing? I haven’t read into it yet
November 2, 2025 at 9:16 PM
I knew the good talks with China could only last so long. Guessing it’s a proxy war sorta thing? I haven’t read into it yet
It’s the small things that keep me on Mac.
Like I remember my yubikey being a pain with git commits on Linux and other little small things that take hours to fix properly
I do miss my Linux daily driver tho 🥲
Like I remember my yubikey being a pain with git commits on Linux and other little small things that take hours to fix properly
I do miss my Linux daily driver tho 🥲
October 29, 2025 at 8:43 PM
It’s the small things that keep me on Mac.
Like I remember my yubikey being a pain with git commits on Linux and other little small things that take hours to fix properly
I do miss my Linux daily driver tho 🥲
Like I remember my yubikey being a pain with git commits on Linux and other little small things that take hours to fix properly
I do miss my Linux daily driver tho 🥲
Looking forward to see how they deal with the debanking crew that’ll target them next
October 14, 2025 at 10:47 PM
Looking forward to see how they deal with the debanking crew that’ll target them next
10 second deploys is quite a feat!
I remember getting my server setup and install time down to 15secs at my last startup (business in a box for web) and I thought that was the coolest thing ever but no one batted an eye back then 😭 maybe I was just too early
I remember getting my server setup and install time down to 15secs at my last startup (business in a box for web) and I thought that was the coolest thing ever but no one batted an eye back then 😭 maybe I was just too early
October 1, 2025 at 9:29 PM
10 second deploys is quite a feat!
I remember getting my server setup and install time down to 15secs at my last startup (business in a box for web) and I thought that was the coolest thing ever but no one batted an eye back then 😭 maybe I was just too early
I remember getting my server setup and install time down to 15secs at my last startup (business in a box for web) and I thought that was the coolest thing ever but no one batted an eye back then 😭 maybe I was just too early
Lmao I bet he just found out you’re not allowed to edit your own wiki 😂
October 1, 2025 at 7:22 AM
Lmao I bet he just found out you’re not allowed to edit your own wiki 😂
I just wish sql error logs supported it 😭
September 30, 2025 at 10:16 AM
I just wish sql error logs supported it 😭
I’m not sure rate limiting would help other that slow them down.
Really the solution is to ensure there is no way to check if a user exists, which is doable but often tedious
Really the solution is to ensure there is no way to check if a user exists, which is doable but often tedious
September 30, 2025 at 6:42 AM
I’m not sure rate limiting would help other that slow them down.
Really the solution is to ensure there is no way to check if a user exists, which is doable but often tedious
Really the solution is to ensure there is no way to check if a user exists, which is doable but often tedious
I would define a vulnerability as something that assists in the compromise of an asset
I have seen a lot of accounts this year fall victim to phishing attacks, most of which only targeted due to UE
5 years ago, I cared little about UE but back then phishing was easier to spot
I have seen a lot of accounts this year fall victim to phishing attacks, most of which only targeted due to UE
5 years ago, I cared little about UE but back then phishing was easier to spot
September 30, 2025 at 6:24 AM
I would define a vulnerability as something that assists in the compromise of an asset
I have seen a lot of accounts this year fall victim to phishing attacks, most of which only targeted due to UE
5 years ago, I cared little about UE but back then phishing was easier to spot
I have seen a lot of accounts this year fall victim to phishing attacks, most of which only targeted due to UE
5 years ago, I cared little about UE but back then phishing was easier to spot
I miss the 00s and 10s when devs building frameworks would name methods and vars like “xzy42_type” to prevent this exact issue
September 28, 2025 at 4:17 AM
I miss the 00s and 10s when devs building frameworks would name methods and vars like “xzy42_type” to prevent this exact issue
Oooo “kind” kinda works! I’ve been using “theType” or “provider”
September 28, 2025 at 4:09 AM
Oooo “kind” kinda works! I’ve been using “theType” or “provider”
I love it! If you find yourself wanting another challenge or you have access to the road map, adding short lived tokens (ie OIDC) to Vapor and cloud would go a long way in securing things like GitHub actions for deployments 🙏
September 23, 2025 at 1:52 AM
I love it! If you find yourself wanting another challenge or you have access to the road map, adding short lived tokens (ie OIDC) to Vapor and cloud would go a long way in securing things like GitHub actions for deployments 🙏