lhl

Supply Chain Security for Software Developers

Practical, layered defenses against package supply chain attacks. Written after the March–April 2026 wave of supply chain compromises: Trivy and LiteLLM (TeamPCP), and axios (Sapphire Sleet / UNC1069).

What Happened

Three major supply chain attacks hit within two weeks, exposing how fragile implicit trust in open-source tooling can be.

Trivy (TeamPCP, March 19–22): Aqua Security's Trivy vulnerability scanner — the most widely used open-source scanner in cloud-native CI/CD — was compromised in a multi-phase attack. An earlier breach in February via a misconfigured pull_request_target workflow stole a Personal Access Token. Credential

santoshyadavdev

import {readFileSync} from 'fs';
import {execSync} from 'node:child_process';

import {exec} from 'child_process';
import util from 'util';

export const execAsync = util.promisify(exec);

execSync('npx nx graph --file=workspace-graph.json').toString('utf-8');

LayZeeDK

  graph TD;
      A[ParentComponent]--imports-->B[ChildComponent];

armanozak

type Strict<Contract, Class> = Class extends Contract
  ? { [K in keyof Class]: K extends keyof Contract ? Contract[K] : never }
  : Contract;

interface MyContract {
  foo: number;
  bar: boolean;
}

type MyStrictContract = Strict<MyContract, MyClass>;

armanozak

type Repeat<T, Count, Acc extends any[] = []> = Acc['length'] extends Count ? Acc : Repeat<T, Count, [...Acc, T]>;

function i18n<Keys extends number[]>([result, ...parts]: TemplateStringsArray, ...keys: Keys) {
  return (...param: Repeat<string, Keys['length']>) =>
    keys.reduce((acc, key, i) => acc + (param as number[])[key] + parts[i], result);
}

const introduceEn = i18n`Hi. My name is ${0}. I work as a ${1} at ${2}.`;
const introduceTr = i18n`Merhaba. Benim adım ${0}. ${2} şirketinde ${1} olarak çalışıyorum.`;
// (param_0: string, param_1: string, param_2: string) => string

laughinghan

• any: magic, ill-behaved type that acts like a combination of never (the proper [bottom type]) and unknown (the proper [top type])
  • Anything except never is assignable to any, and any is assignable to anything at all.
  • Identities: any & AnyTypeExpression = any, any | AnyTypeExpression = any
  • Key TypeScript feature that allows for [gradual typing].
• unknown: proper, well-behaved [top type]
  • Anything at all is assignable to unknown. unknown is only assignable to itself (unknown) and any.
  • Identities: unknown & AnyTypeExpression = AnyTypeExpression, unknown | AnyTypeExpression = unknown

• Prefer over any whenever possible. Anywhere in well-typed code you're tempted to use any, you probably want unknown.

WebReflection

Why I use web components

This is some sort of answer to recent posts regarding Web Components, where more than a few misconceptions were delivered as fact.

Let's start by defining what we are talking about.

The Web Components Umbrella

As you can read in the dedicated GitHub page, Web Components is a group of features, where each feature works already by itself, and it doesn't need other features of the group to be already usable, or useful.

WebReflection

lys is a programming language that produces WASM, and its design goal is to be as simple as possible, yet useful to create utilities.

I've been thinking about a subset of JavaScript that could run natively on the browser, similarly to asm.js, but with the ability, through a dedicated parser, to target another language able, on its own, to produce WASM.

The following crazy non sense works already thanks to an agglomerated of modern and deprecated JS features and it might be interesting as experiment to see if a JS to WASM compiler, through the lys indirection, could be possible.

function lys(fn) {

  /*! (c) Andrea Giammarchi */

LayZeeDK

angularistanbul

@Component({
  selector: 'my-app',
  template: `<hello></hello>`
})
export class AppComponent  {
  name = 'Angular';
}

@Component({
  selector: 'hello',