open source interloper; attracts bugs easily
אַ ביסל ייִדיש־פּאָסטינג
| website | https://yossarian.net |
| blog | https://blog.yossarian.net |
| github | https://github.com/woodruffw |
| bluesky | https://bsky.app/profile/yossarian.net |
zizmor v1.10.0 is released!
this is a *huge* new release in terms of features, bugfixes, and enhancements. just to highlight a few:
* zizmor's new experimental fix mode is now available! users can use `--fix=[MODE]` to control it; see the docs for more: https://docs.zizmor.sh/usage/#auto-fixing-results
* the new anonymous-definition audit flags unnamed workflows and jobs for the pedantic persona: https://docs.zizmor.sh/audits/#anonymous-definition
* zizmor's location/fixture core has been rewritten to support "subfeatures," meaning that many audits now produce much nicer/more precise finding renders that are easier to read
read the full release notes here: https://docs.zizmor.sh/release-notes/#1100
The libxml2 maintainer is no longer accepting embargoed security reports. They just get treated like regular issues.
This bit in a comment on the announcement really resonates with me:
> these companies make billions of profits and refuse to pay back their technical debt, either by switching to better solutions, developing their own or by trying to improve libxml2.
Too often a company will depend on some library, and then when there are issues with it, shame the maintainer into fixing them. "There's a problem with your project, it is your responsibility to fix it".
No.
You chose to build on top of this library, and with that took on all responsibility that comes with that choice. Any tech debt or bugs are now YOUR tech debt and bugs. What are you going to do about them?
sneak peek for more precise subspanning within zizmor:
(this overcomes one of zizmor's earliest architectural limitations, i.e. that it could only span on full YAML elements and nothing within those elements. no longer!)
Arne Brasseur