- security
- open-source
- postmortem
The Day SLSA Provenance Lied
A 6-minute window on May 11 broke a signal the supply-chain world had treated as clean: valid SLSA attestation on 84 malicious npm packages.
A 6-minute window on May 11 broke a signal the supply-chain world had treated as clean: valid SLSA attestation on 84 malicious npm packages.
What it actually takes to port a Node-based auth library to Web Crypto, D1, and the Workers runtime, with concrete before-and-after code.