spuxx
@spuxx.bsky.social
Software engineer at DB, the german public railway company. Used to be a biologist and radio guy.
Ah I got those confused then. I neither knew about vlt nor heard about anthropic buying bun. Thanks!
December 2, 2025 at 10:52 PM
Ah I got those confused then. I neither knew about vlt nor heard about anthropic buying bun. Thanks!
Damn that's harsh lol. But back to my original question, why do we need vlt when we already don't have a lack of competing JS runtimes?
December 2, 2025 at 10:49 PM
Damn that's harsh lol. But back to my original question, why do we need vlt when we already don't have a lack of competing JS runtimes?
I did but it didn't really get me fired up tbh. What makes deno stand out is not being a faster runtime but moving a lot of the paradigms forward that we've come to accept in the ecosystem. It gets rid of a lot of technical debt.
December 2, 2025 at 10:33 PM
I did but it didn't really get me fired up tbh. What makes deno stand out is not being a faster runtime but moving a lot of the paradigms forward that we've come to accept in the ecosystem. It gets rid of a lot of technical debt.
Completely missed the memo on this one. What does it offer over, say, deno?
December 2, 2025 at 10:26 PM
Completely missed the memo on this one. What does it offer over, say, deno?
What I said could be misread, so I better clarify: While trusted publishing itself does not prohibit manual publishing, since Shai-Hulud npm really nudges you towards enabling it and disabling manual publishing alltogether. They now also limit token lifetime to 3 months, increasing friction.
December 1, 2025 at 8:30 AM
What I said could be misread, so I better clarify: While trusted publishing itself does not prohibit manual publishing, since Shai-Hulud npm really nudges you towards enabling it and disabling manual publishing alltogether. They now also limit token lifetime to 3 months, increasing friction.
Yeah, might be. :) If e.g. your CI/CD pipeline includes a human element in the form of "you gotta press this button to create a release", which proper setups will usually have, this shift indeed introduces the requirement for human interaction. But it all depends on how the repo is set up.
December 1, 2025 at 8:06 AM
Yeah, might be. :) If e.g. your CI/CD pipeline includes a human element in the form of "you gotta press this button to create a release", which proper setups will usually have, this shift indeed introduces the requirement for human interaction. But it all depends on how the repo is set up.
Also, love the work you guys do. Always one of my week's highlights. ❤️
December 1, 2025 at 7:59 AM
Also, love the work you guys do. Always one of my week's highlights. ❤️
If the repository's CI/CD and permissions is set up properly it'll be much harder to publish malicious payload now. Of course that's a big "if" right there but making it harder for authors to yolo a release of a widely adopted package is a good thing in a lot of ways.
December 1, 2025 at 7:57 AM
If the repository's CI/CD and permissions is set up properly it'll be much harder to publish malicious payload now. Of course that's a big "if" right there but making it harder for authors to yolo a release of a widely adopted package is a good thing in a lot of ways.
Since supply chain attacks like that rely on fetching tokens locally from the dev machines, removing that attack vector is pretty smart IMO. Nowadays there's little reason for package authors to have the ability to manually publish anyways, especially if they maintain popular packages. 3/x
December 1, 2025 at 7:54 AM
Since supply chain attacks like that rely on fetching tokens locally from the dev machines, removing that attack vector is pretty smart IMO. Nowadays there's little reason for package authors to have the ability to manually publish anyways, especially if they maintain popular packages. 3/x
They now push authors to use what they call "trusted publishing" which essentially removes the ability to manually publish a package entirely and moves the authority to publish exclusively to CI/CD pipelines. If you consider what Shai Hulud did, you'll notice this is actually a good idea. 2/x
December 1, 2025 at 7:52 AM
They now push authors to use what they call "trusted publishing" which essentially removes the ability to manually publish a package entirely and moves the authority to publish exclusively to CI/CD pipelines. If you consider what Shai Hulud did, you'll notice this is actually a good idea. 2/x
What do you mean by chore? 👀 I linked my github action to npm once and now I never have to worry about rotating tokens again. 🥰
November 28, 2025 at 6:18 PM
What do you mean by chore? 👀 I linked my github action to npm once and now I never have to worry about rotating tokens again. 🥰
There's OData: www.odata.org
SAP did make heavy use of it at one time and I think Microsoft too, not sure if they still do
SAP did make heavy use of it at one time and I think Microsoft too, not sure if they still do
OData - the Best Way to REST
OData, short for Open Data Protocol, is an open protocol to allow the creation and consumption of queryable and interoperable RESTful APIs in a simple and standard way.
www.odata.org
November 8, 2025 at 6:46 AM
There's OData: www.odata.org
SAP did make heavy use of it at one time and I think Microsoft too, not sure if they still do
SAP did make heavy use of it at one time and I think Microsoft too, not sure if they still do
Yeah, they're doing great. The recent addition of a debugger was a game changer for me.
October 20, 2025 at 3:49 PM
Yeah, they're doing great. The recent addition of a debugger was a game changer for me.
At least as long as you don't plan on publishing manually that is.
October 12, 2025 at 6:40 PM
At least as long as you don't plan on publishing manually that is.
I have yet to set it up myself, but the way I understand it, tokens in trusted publishing are short lived and not handled by us. The traditional long-lived tokens aren't required: docs.npmjs.com/trusted-publ...
Trusted publishing for npm packages | npm Docs
Documentation for the npm registry, website, and command-line interface
docs.npmjs.com
October 12, 2025 at 6:39 PM
I have yet to set it up myself, but the way I understand it, tokens in trusted publishing are short lived and not handled by us. The traditional long-lived tokens aren't required: docs.npmjs.com/trusted-publ...
Aren't you supposed to use trusted publishing instead?
October 12, 2025 at 12:13 PM
Aren't you supposed to use trusted publishing instead?
I can't wrap my head around having to allow port 443 udp someday lol
October 12, 2025 at 9:50 AM
I can't wrap my head around having to allow port 443 udp someday lol
It's so weird if you wanna do stuff like "chore(deps): Bump version of @foo/bar" because GitHub tries to convert it to a user tag lol
October 12, 2025 at 6:54 AM
It's so weird if you wanna do stuff like "chore(deps): Bump version of @foo/bar" because GitHub tries to convert it to a user tag lol
Someone must have been bored.
September 17, 2025 at 8:53 PM
Someone must have been bored.
I've been thinking about making a course myself for a while now. What platform(s) do you recommend?
August 12, 2025 at 10:56 AM
I've been thinking about making a course myself for a while now. What platform(s) do you recommend?