PostCSS Adopts Staged Publishing, Gating 685M Weekly npm Downloads Behind Human Approval

·1 views

Following a GitHub issue filed on June 18, 2026, PostCSS maintainer Andrey Sitnik began rolling out npm's Staged Publishing feature across his high-impact packages, which collectively account for over 900 million weekly downloads. The change was prompted by concerns that CI-based publishing — where automated pipelines hold publish credentials — creates a broad attack surface, as demonstrated by the TanStack compromise in May 2026 and a Red Hat incident on June 1, both exploiting CI tokens to push malicious packages with valid provenance attestations. Staged Publishing addresses this by allowing CI to build and stage a release while requiring a human to manually approve promotion to the 'latest' tag, meaning a stolen CI token alone cannot complete a malicious publish. Within nine days of the initial issue, four packages — PostCSS, nanoid, browserslist, and Autoprefixer — had Staged Publishing enabled, covering 685 million weekly downloads. Three remaining packages, caniuse-lite, postcss-nested, and postcss-js, have yet to adopt the feature, after which the entire ecosystem's roughly 963 million weekly downloads will sit behind a human approval gate.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Curly Braces vs Other Delimiters: Why Semantics Matter in Programming

Curly braces, parentheses, and square brackets each serve distinct roles in programming, yet developers frequently misuse them interchangeably, causing logic errors and bugs. In most procedural and object-oriented languages like C++, Java, and JavaScript, curly braces define the scope of functions, loops, and conditional blocks. In R, the distinction is especially strict: curly braces handle control flow grouping, square brackets perform data subsetting, and parentheses manage function calls. Misapplying these delimiters — such as using curly braces for list indexing in R — results in syntax errors that can be difficult to trace. Understanding the semantic intent behind each delimiter, not just its appearance, is considered essential for writing clean, readable, and maintainable code.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

AI Writes Code Fast, But Reviewing It for Safety Remains the Hard Part

AI coding assistants have significantly accelerated software development tasks like generating components, writing tests, and handling repetitive refactors. However, faster code generation has exposed a new bottleneck: the review process has largely remained unchanged, leaving teams to manually verify correctness, edge cases, and architectural consistency. AI-generated code can appear functionally correct while still missing critical details such as expiry checks, audit logging, or side-effect handling. Tools like Qodo aim to address this by introducing a quality layer that shifts code review earlier into the development workflow, including inside the IDE before changes reach a repository. The broader conversation in AI-assisted development is thus moving from how to generate code faster to how to ensure generated code is actually safe to ship.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Developer Open-Sources High-Performance Solana Bundler for Meme Coin Launches

A developer has released solana-bonkfun-bundler, an open-source tool built for the Solana blockchain, optimized for fast meme coin launches on letsbonk.fun. The bundler allows users to create a token and bundle up to 12 purchases within a single atomic transaction. It includes features such as Jito-powered bundles, delay sniping, pure sniping mode, automatic wallet generation, SOL airdrops, and wallet cleanup tools. Built with TypeScript, the project covers a full stack including on-chain logic, a backend API, WebSocket handlers, and a frontend wallet interface. The repository is publicly available on GitHub, and the developer is welcoming contributions via issues and pull requests.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Five Open-Source NotebookLM Alternatives Tested for Offline, Private Use

A developer tested five open-source alternatives to Google's NotebookLM over a weekend, focusing on privacy concerns around sharing sensitive documents with cloud services. The projects evaluated were Open Notebook, Notex, KnowNote, NotebookLM-Local, and InsightsLM, each differing in setup time, hardware requirements, and offline capability. Open Notebook offered the broadest feature set with multi-model support and a working offline podcast generator, while Notex stood out as a lightweight single-binary option requiring no Docker or database setup. KnowNote provided the most accessible experience for non-technical users as a desktop app, and NotebookLM-Local bundled a local AI model for fully offline use, though with shallower output quality. InsightsLM was the most complex to deploy but offered programmable document workflows via N8N, making it better suited for teams than individual users.

0 comments Read more at DEV Community