The art of simplicity

The recent software supply chain attacks proof again that having insights in own project dependencies is crucial. This is where GitHub's dependency graph can help. It maps every direct and transitive dependency in your project, giving you the visibility you need to understand, secure, and manage your software supply chain. What is the Dependency Graph? The dependency graph is a summary of the manifest and lock files stored in a repository, showing which packages depend on what, helping you identify risks, prioritize security fixes, and keep track of your project's true footprint. For each repository, the dependency graph shows: Dependencies : The ecosystems and packages your project relies on Version information : What versions you're using License details : The licensing terms of your dependencies Vulnerability status : Whether any dependencies have known security issues Transitive paths : For ecosystems that support it, you can see the entire ch...

Have you ever wondered what powers the cloud services you use every day? From video calls to online banking, from remote work to social media, there's a massive physical infrastructure humming away behind the scenes. Microsoft has opened the curtains on this hidden world through their Azure Global Infrastructure Experience—a virtual datacenter tour that offers an unprecedented look inside the technology that powers our digital lives. What is the Azure Global Infrastructure experience? The Azure Global Infrastructure Experience is an immersive, interactive 3D virtual tour that allows anyone to explore the inner workings of Microsoft's datacenter operations. Rather than requiring physical visits to secure facilities, this digital experience brings the datacenter to you, accessible from any PC or mobile device. The tour showcases infrastructure spanning over 60 datacenter regions and more than 300 datacenters globally, giving visitors insight into the sheer scale of Microsof...

At GitHub Universe, GitHub announced that you can use OpenAI Codex with your existing GitHub Copilot Pro+ subscription. Therefore we first need to install the OpenAI Codex extension and sign in with GitHub Copilot. Installation & configuration You can directly install the extension from the extensions or through the Agent sessions view: After the installation has completed, you need to sign in. You can either use your ChatGPT account or your (existing) GitHub Copilot subscription. Once signed in, we have an extra chat window available: There are a few things we can configure here: Environment: Local workspace: The agent will interact with your local machine and VSCode workspace. Connect Codex Web: Send the chat to the ChatGPT web interface. Send to cloud: The agent will operate in a sandboxed cloud environment.   Chat Mode (called approval modes in OpenAI Codex): Chat: Regular chat, doesn’t do any changes directly. ...

The recent software supply-chain attacks proof once again that the npm ecosystem is a double-edged sword. With over 2 million packages available, developers can build applications faster than ever before. But this convenience comes with a significant security risk. When a single compromised package can affect thousands of downstream projects, we need better defenses. In this post, I'll show you how combining npm lock files with the --ignore-scripts flag creates a powerful security layer that can protect your projects from many common attack vectors. The growing threat of supply chain attacks Supply chain attacks in the npm ecosystem aren't theoretical—they're happening regularly. In recent years, we've seen high-profile incidents like the event-stream compromise, where a popular package was hijacked to steal Bitcoin wallets, and the ua-parser-js attack, where malicious code was injected to install cryptominers and password stealers. These attacks often follow a...

Have you ever wanted to see your project's Git history come to life? Gource is a fantastic tool that transforms your commit history into a mesmerizing animated visualization, showing how your codebase grows and evolves over time. It's like watching a time-lapse of your project's development, with files appearing, changing, and moving as contributors work on different parts of the code. But Gource is more than just eye candy. I like to use this tool to spot architectural patterns, identify hotspots where code changes frequently, understand how the team collaborates, and even detect potential coupling issues before they become problems. It's a powerful lens for understanding not just what a team has built, but how they've built it. In this post, I'll walk you through everything you need to know to create your first Gource visualization and use it to gain valuable insights into your codebase's architecture. What is Gource? Gource is an open-source vis...

Last week I was listening to Adam Grant's Rethink podcast. The guest was Daryl Davis, a black musician who has spent decades doing something most of us would find unthinkable: sitting down face-to-face with members of the Ku Klux Klan and neo-Nazis, listening to them, and through empathy and curiosity, helping many leave hate groups behind. What struck me wasn't just his extraordinary work. It was also his advice for the rest of us, the ones who can't imagine doing what he does. Not everyone belongs on the front line Daryl Davis and Jeff Schoep, who also joined the podcast, are what he calls "on the front lines"—directly engaging with people in hate groups. But Davis readily acknowledges that this isn't for everyone. "Some people, they can't do that," he explained. "They cannot bring themselves to sit down with a KKK member or a neo-Nazi. 'I can't sit with those people. I'm afraid of them. Or I'm afraid I might punch...