Latest Posts

Learn how to hide the Co-Authored-By trailer that Claude Code automatically adds to commits and the Generated with Claude Code line on PRs. Covers how to use the attribution setting instead of the deprecated includeCoAuthoredBy.

A summary of the cause and fix for the "string is not well-formed UTF-16" Android crash that occurs when splitting a word containing certain CJK characters or emoji character by character.

A walkthrough of the bug where the AppBar back button overlaps with the system grab handle in iPad Split View / Slide Over / Stage Manager. Covers why screen-size based iPad detection fails, the hardware-based alternative, and the subtle AppBar leading alignment pitfall.

Learn how to align AAB artifacts so that Flutter apps are properly listed on the Play Store for Galaxy S26 and other devices using 16KB memory page sizes, and how to build a static verification gate to prevent regressions.

Google Play release notes have a 500-character per-language limit. Based on a real case where both Korean and English notes went over the limit, this post covers practical trimming strategies — which items to drop and how to group related items to compress.

One morning our Docker production build broke without any code change. The cause was a transitive package deep in the dependency tree that had published a new patch a few days earlier. This post walks through the incident and clarifies exactly how the caret range in package.json works and what role yarn.lock plays.

The 2024 Polyfill.io incident showed how a single CDN-hosted script can infect over 100,000 sites at once. This article covers how Subresource Integrity (SRI) works, how to apply it, and how to handle dynamic CSS like Google Fonts where SRI cannot be used directly.

How to use GitHub's dependency-review-action to prevent PRs from introducing packages with known CVEs, license violations, or risky maintainer changes — with real incident examples.

Two threats that supply chain cooldown alone cannot stop — newly discovered CVEs in already-installed dependencies, and vulnerabilities in your own code — and how to address them with yarn npm audit and GitHub CodeQL, illustrated with real incident examples.

If your team cannot immediately answer "are we affected?" when a new vulnerability is disclosed, your dependency visibility is insufficient. Using Log4Shell as a case study, this article explains why SBOM (Software Bill of Materials) matters and how to automate it with GitHub Dependency Submission.

Covers lockfile tampering — a gap in supply chain defenses — and explains how Yarn 4's Hardened Mode closes it by verifying resolutions and integrity hashes on every install. Includes how to enable it with a single line of configuration.

A data-driven evaluation of how effective time-based supply chain defenses — Dependabot cooldown and package manager minimum release age — actually are, using historical incident data.