Responsible Disclosure: Using GitHub Search (without logging in using SSO) still allows searching (4 mins read).
Reporting on a HackerOne responsible disclosure that I found in GitHub, where you could exfiltrate data without signing in to GitHub SSO.
Creating a more sustainable model for oapi-codegen in the future (9 mins read).
Announcing a request for sponsorship to continue to allow allocating more time to oapi-codegen as well as to make more ambitious changes to the project.
oapi-codegen is moving to its own org (7 mins read).
Announcing oapi-codegen's move to its own GitHub org, and a history lesson about the project.
Lessons learned self-hosting Renovate (13 mins read).
What I've learned operating Renovate as a self-hosted app on GitHub Actions, GitLab CI, and the Mend Renovate Community Edition, and some tips for getting started
Automating the syncing of files between repos with GitHub Actions (2 mins read).
Creating a GitHub Action workflow to periodically update vendored files which are out-of-sync between GitHub repos.
Querying your organisation's Renovate configuration using SQL(ite) (3 mins read).
A new tool, renovate-config-sqlite to pull Renovate configuration into an SQLite database.
Why I recommend Renovate over any other dependency update tools (10 mins read).
Explaining why Renovate is going to be my solution to keeping up-to-date with dependencies and it's not likely to change any time soon.
by 
Jamie Tanna
.
#blogumentation
#renovate
#dependabot
#snyk.
What can we learn about the backdooring of xz/liblzma, using OpenSSF Security Scorecards and dependency-management-data? (6 mins read).
Looking at how the recent CVE-2024-3094 vulnerability could provide insight into other cases of risk in dependencies and their lack of code review.
by Jamie Tanna
.
#dependency-management-data
#security
#open-source.
What routes is my http.ServeMux listening for? (2 mins read).
How to fairly quickly list the routes that your http.ServeMux is handling, pre- and post-Go 1.22.
by Jamie Tanna
.
#blogumentation
#go.
Why is Go 1.22's enhanced routing not working for me? (2 mins read).
Why you may be receiving 404 page not found errors when using Go's new enhanced routing in Go 1.22.
by Jamie Tanna
.
#blogumentation
#go.
Job titles are bullshit (6 mins read).
When is a Senior Engineer not a Senior Engineer, no standardisation across the industry, and other reasons job titles are frustrating.
by Jamie Tanna
.
#career.
I'm on Changelog and Friends! (2 mins read).
Announcing my first podcast appearance on Changelog and Friends, talking about salary history, the IndieWeb, ADHD and dependency-management-data, among other things.
by Jamie Tanna
.
#podcast
#adhd
#salary
#indieweb
#public-speaking
#dependency-management-data.
You should listen to The Changelog (5 mins read).
Why you should really be adding The Changelog (and its network of podcasts) to your rotation of tech podcasts.
by Jamie Tanna
.
#podcast.
Gotcha: Don't try and authenticate to URLs generated by GitHub Actions Artifacts v4 (3 mins read).
Why you may be receiving errors when trying to authenticate to download GitHub Actions Artifacts using the v4 Actions.
Quantifying your reliance on Open Source software (State of Open Con version) (20 mins read).
A writeup of my talk about the dependency-management-data project at the State of Open Con 2024 conference.
by Jamie Tanna
.
#dependency-management-data
#public-speaking
#state-of-open-con
#soocon24
#open-source
#free-software
#sbom.
Celebrating dependency-management-data's first birthday (6 mins read).
Reflecting on the last year of the project.
Introducing insight into your dependencies' health in dependency-management-data (2 mins read).
How you can use the new dependency health functionality to better understand your dependencies.
dependency-management-data now has a logo! (1 mins read).
Very excited to note that the project now has a logo.
Why am I getting Too many arguments with vault? (1 mins read).
Why you may be getting Too many arguments from the vault CLI, and how to fix it.
Using renovate-to-sbom with the GitHub Dependency Submission API (4 mins read).
How to improve the data in GitHub's Dependency Graph by using an SBOM produced by Renovate data.
by Jamie Tanna
.
#dependency-management-data
#renovate
#sbom
#github.
Comparing the different Merge Request / Pull Request merge methods in GitLab and GitHub (2 mins read).
How the different merge methods for contributions work between GitLab and GitHub.
How to unpublish/redact/undo/retract a Go release (3 mins read).
How to retract a release version of a Go version, without risking folks automagically upgrade to that version.
by Jamie Tanna
.
#blogumentation
#go.
How do you represent a JSON field in Go that could be absent, null or have a value? (5 mins read).
Why it's surprisingly hard to work out a field has been sent or whether it's explicitly null, when using Go's encoding/json.
Why is set -eu not working? (2 mins read).
Why you may be finding set -u in a shell script not exiting when set -e is also present.
You can now interact with dependency-management-data using GraphQL (2 mins read).
Announcing the release of the GraphQL API for dependency-management-data.
You can now use Open Policy Agent with dependency-management-data (2 mins read).
How to use Open Policy Agent to perform much more effective flagging of package compliance with dependency-management-data.
by Jamie Tanna
.
#dependency-management-data
#open-policy-agent.
Introducing snyk-export-sbom to export SPDX and CycloneDX SBOM from Snyk (2 mins read).
Creating a new command-line tool for more easily retrieving Software Bill of Materials (SBOMs) from Snyk, as well as adding licensing information to SBOMs.
by Jamie Tanna
.
#sbom
#snyk.
Using dependency-management-data with npm's SPDX and CycloneDX SBOM export functionality (1 mins read).
How to get started with npm's SBOM export functionality with dependency-management-data.
Introducing renovate-to-sbom to convert Renovate data to Software Bill of Materials (SBOMs) (1 mins read).
Creating a new command-line tool for converting Renovate data exports to Software Bill of Materials (SBOMs).
by Jamie Tanna
.
#dependency-management-data
#renovate
#sbom.
dependency-management-data now supports OSS Review Toolkit (ORT) (1 mins read).
How to use data from OSS Review Toolkit (ORT) with dependency-management-data.
Getting Go modules to work with nested GitLab groups (3 mins read).
How to get Go modules to work with nested groups in GitLab for public or private repos.
by Jamie Tanna
.
#blogumentation
#go
#gitlab.
Performing a v2 release of a Go module (1 mins read).
How to prepare your Go module for its first breaking change release.
by Jamie Tanna
.
#blogumentation
#go.
Building resilient, runnable command-line demos with Asciinema and demo (3 mins read).
How to use the demo library alongside Asciinema to make it easier to build and maintain demos for your command-line tools.
Importing a subdirectory from one repo into another (1 mins read).
How to import a subdirectory of a given Git repository into another one, using git subtree.
by Jamie Tanna
.
#blogumentation
#git
#git-subtree
#command-line.
How we reduced oapi-codegen's dependency overhead by ~84% (6 mins read).
An example of how to reduce the size of a Go module's dependencies by taking advanage of Go module pruning.
by Jamie Tanna
.
#blogumentation
#go.
Plea to Software Composition Analysis (SCA) providers and Software Bill of Materials (SBOMs) producers: give us more data! (2 mins read).
Why I think dependency scanning tooling should be providing as much data as possible about scanned projects, to allow other tooling to make better inferences about the data.
by Jamie Tanna
.
#sbom
#dependency-management-data
#persuasive.
Which version of Go was used to compile this binary? (2 mins read).
How to use a few means to work out what version of Go a given binary was compiled with.
by Jamie Tanna
.
#blogumentation
#go.
Utilising Renovate's local platform to make renovate-graph more efficient (2 mins read).
How using the local platform with renovate-graph can increase the performance of dependency extraction.
by Jamie Tanna
.
#blogumentation
#renovate
#dependency-management-data.
Gotcha: Using vCluster on Elastic Kubernetes Service requires a Container Storage Interface driver (2 mins read).
How to avoid PersistentVolumeClaims getting stuck in a Pending state with vCluster and EKS when you've not set up the cluster with a Container Storage Interface driver for Elastic Block Store.
Listing environment variables used to trigger a Buildkite pipeline (1 mins read).
How to use Buildkite's GraphQL API to list the environment variables provided to trigger a pipeline.
Publishing My On-Call Compensation History (1 mins read).
Publishing a page detailing the on-call compensation I've received over the years.
by Jamie Tanna
.
#job
#on-call
#devopsdays.
Why should you blog? (12 mins read).
A writeup of my talk at DDD East Midlands around why you should start blogging.
Solving /usr/lib/Xorg.wrap: Only console users are allowed to run the X server errors with tmux over SSH (1 mins read).
How to avoid Xorg errors when connecting to a Linux machine over SSH that tries to spawn startx.
This talk should also be a blog post (3 mins read).
How you can improve your public speaking by also writing blog posts for your talks.
How blogging has affected me, as a neurodiverse person (5 mins read).
How I've used blogging to help with my ADHD.
Introducing tweetus-deletus π¦πͺπ - a tool to automate deleting your tweets, through the browser (3 mins read).
Announcing the release of tweetus-deletus, a tool to delete all your tweets, driven through the browser with Playwright.
Reusing a browser session with Playwright (1 mins read).
How to re-use your existing browser sessions with Playwright.
Using dependency-management-data with GitLab's Pipeline-specific CycloneDX SBOM exports (1 mins read).
How to take advantage of SBOM export functionality in GitLab 16.4 with dependency-management-data.
Gotchas with pointing Go modules to a fork, when building an installable module (3 mins read).
A gotcha around how to pin a Go module to a fork, if you're building a module that should be go installable.
by Jamie Tanna
.
#blogumentation
#go.
Building dynamic jobs with BuildKite (2 mins read).
How to dynamically generate job configuration for BuildKite, while running inside a pipeline.