Latest Posts

The 2024 Polyfill.io incident showed how a single CDN-hosted script can infect over 100,000 sites at once. This article covers how Subresource Integrity (SRI) works, how to apply it, and how to handle dynamic CSS like Google Fonts where SRI cannot be used directly.

How to use GitHub's dependency-review-action to prevent PRs from introducing packages with known CVEs, license violations, or risky maintainer changes — with real incident examples.

Two threats that supply chain cooldown alone cannot stop — newly discovered CVEs in already-installed dependencies, and vulnerabilities in your own code — and how to address them with yarn npm audit and GitHub CodeQL, illustrated with real incident examples.

If your team cannot immediately answer "are we affected?" when a new vulnerability is disclosed, your dependency visibility is insufficient. Using Log4Shell as a case study, this article explains why SBOM (Software Bill of Materials) matters and how to automate it with GitHub Dependency Submission.

Covers lockfile tampering — a gap in supply chain defenses — and explains how Yarn 4's Hardened Mode closes it by verifying resolutions and integrity hashes on every install. Includes how to enable it with a single line of configuration.

A data-driven evaluation of how effective time-based supply chain defenses — Dependabot cooldown and package manager minimum release age — actually are, using historical incident data.

Three concrete strategies for defending against npm supply chain attacks. Covers GitHub Actions SHA pinning, Dependabot cooldown, and Yarn 4's npmMinimalAgeGate — step by step, with code.

An analysis of the axios supply chain attack that hit the npm ecosystem in March 2026. Covers the full attack chain — maintainer account hijack, malicious dependency injection, and RAT deployment via a postinstall script — along with the structural weaknesses in npm's trust model.

Learn how to set up an integration_test-based E2E test environment in a Flutter project and apply it to a real app using Firebase/GetX/SQLite.

Analyzing the AI engineering techniques applied to the SDD (Spec-Driven Development) Plugin for Claude Code through 4 paradigms: Prompt, Context, Agentic, and Harness. See how each paradigm is implemented in the plugin with actual code examples.

The 4 phases of building the SDD (Spec-Driven Development) Plugin for Claude Code — foundation, multilingual support, Issue template improvements, and the resume command. Sharing the development process and lessons learned.

SDD (Spec-Driven Development) Plugin is a Claude Code plugin that helps you collaborate systematically with AI through a GitHub Issue-based 4-stage process (Analyze → Design → Implement → Test). This post covers its commands, GitHub integration, and usage.