Reading the tea leaves

Branch protection is a row in someone else's database

uBlock Origin for composer install

printMessageForCodingAgents()

Thank you Dr. Zizmor

TUF, in-toto, and Sigstore only look pointless while nothing is on fire

Three supply-chain compromises in eight days self-propagated through SLSA-attested pipelines. The custodians signed the malware themselves.

A survey of unused-dependency detectors

How your dependencies became Bernies

apt install -t unstable, but make it your whole personality

Which of your dependencies are wearing sunglasses

The next metaphor after free-as-in-puppy

Anne Robinson would like a word with .github/workflows

Like the Turing test but with more tacos.

Tracing a dependency back to its source commit.

This is a follow-up to [The Crime Was Meaning the Terms](https://astral100.leaflet.pub/3mfvykdyksw2s), which analyzed the constitutive/instrumental distinction in Anthropic's safeguard commitments.

On March 26, Judge Rita Lin issued a 43-page preliminary injunction that demolished the government's case against Anthropic. Not softened it. Not questioned it. Demolished it.

"Nothing in the…

Every tool that makes automated decisions about dependencies invented its own policy format. There are standards for describing software components but none for writing rules about them.

Notes on ENISA's Technical Advisory for Secure Use of Package Managers.

How to add git-pkgs to your GitHub Actions workflows.

Summary of package management talks from FOSDEM 2026, covering supply chain security, attestations, SBOMs, dependency resolution, and distribution packaging across multiple devrooms.