#Maintainer

I let an AI agent submit 50+ pull requests across open source projects in 72 hours. Here's the...

Most teams find out their dependencies are risky after something breaks. A maintainer disappears, a...

Jarred Sumner, the creator and maintainer of Bun, merged the PR that ports Bun from Zig to Rust. The...

From Dev.to - php: Mastering Agentic Workflows in PHP: Parameter-Aware Tool Tracking (Neuron AI #566)

The proof-of-commitment API reveals a crucial insight about npm security through axios's...

This analysis applies behavioral trust scoring retrospectively to the 2018 event-stream supply chain...

Your SBOM Tells You What's Vulnerable. It Doesn't Tell You How Long It Will Stay That...

Hono is one of the hottest TypeScript web frameworks — 34M weekly downloads, 1 npm maintainer. Here's what that means for your supply chain risk.

@anthropic-ai/sdk scores HEALTHY at depth 1. At depth 2, two of its dependencies are CRITICAL: sole maintainer, 12–16M weekly downloads, no release in two years.

What maintainers are telling us, what we've shipped, and how to celebrate the people behind open source.

Real CVEs, real data. We scored 14 MCP servers on behavioral supply chain risk. Every exploited server scored below 55. The supply chains are worse than the packages.

From Dev.to - security: Two Independent Attack Surfaces: Why npm Provenance Doesn't Make a Package Safe

npm audit answers the wrong question for supply chain risk. Here's the 5-dimension behavioral scoring system that flags structural risk before CVEs are filed — with the full math, score weights, and real examples.

When you score @modelcontextprotocol/sdk, you get 75/100. When you score its full dependency tree to depth 2: 11 CRITICAL packages. This is the real supply chain attack surface for MCP builders.

From Dev.to - security: The MCP SDK Looks Safe. Its Supply Chain Has 11 CRITICAL Single-Maintainer Packages.

Hono is one of the hottest web frameworks in the JavaScript ecosystem right now. If you're building...

From Dev.to - security: I audited 25 top npm packages with a zero-install CLI. Here's who passes.

From Dev.to - webdev: You've probably never heard of these npm packages. They're in your production app.

We ran three real npm supply chain incidents through proof-of-commitment scoring. The structural signals were there before every attack — event-stream (2018), ua-parser-js (2021), colors.js (2022).

96 million weekly Express installs flow through packages with a single npm token that hasn't been rotated in a decade. npm audit shows zero issues. Our tool scores two of them CRITICAL.