This is going to be my first attempt at writing a newsletter, I can’t promise the cadence yet but I want to write about my journey in OSS, my explorations with AI, developer tooling and all other tech-related things that I love doing
When I woke up on Monday and I noticed the Tanstack supply chain attack I rushed out of bed and opened my laptop to finish some… unfinished work… The work is mainly around locking down the publishing workflow of Preact. Concretely, it does a bunch of things:
we have to approve publishes on GitHub (npm verifies that this is done)
we issue provenance statements
when a package goes from provenance —> non-provenance consumers can prevent it being installed with a no-downgrade option.
After reading more deeply into what happened, I realized that my changes would not have prevented this particular attack. One of the more concerning details was the reuse of dependency caches between forks and the main repository.
Then we removed caches from publish jobs and locked dependencies down further with pnpm 11. After talking to people who understand this space far better than I do, I think the current setup is close to the best we can reasonably do today.
The whole incident has stayed with me, though.
I saw some open-source repositories respond by preventing external contributors from opening pull requests. I deeply understand the reasoning. Maintainers are scared. I am scared too. Nobody wants to be responsible for shipping a malicious package to thousands or millions of users.
I’m also saddened by that trend. Open source gave me opportunities I would not have had otherwise. I would not be where I am today without communities like Preact, urql, GraphQL, and others accepting my contributions long before I had any formal authority in them.
It is already hard enough to get a job, prove yourself, and find your way into the industry right now. If open source becomes more closed, we remove one of the few remaining paths where people can still show up, contribute, learn, be seen, and earn trust.
So yes, we need to take supply-chain security seriously. We need provenance, locked-down publishing, safer workflows, fewer footguns, and better defaults.
But I hope we do not respond by closing the door behind us. The real challenge is not just making open source safer. It is making it safer without making it impossible for the next person to get in.