Why catching npm vulnerabilities in CI is already too late

·1 views

Software engineer Sonu Kapoor, writing for DevOps.com, argues that discovering npm dependency vulnerabilities during CI pipeline runs is a structural flaw, not a security practice. By the time a scanner flags an issue in CI, the developer has already installed the package, written dependent code, and moved on, making the fix a separate project rather than a quick decision. To illustrate the scale of the problem, Kapoor cites a scan of the NestJS repository's package-lock.json, which revealed 1,626 resolved packages carrying 25 vulnerabilities, 13 of which were buried in transitive dependencies. The recommended fix involves shifting discovery earlier through pre-commit hooks, mandatory PR-level lockfile scans, and branch-protection policies, rather than relying solely on a local CLI tool. Critics of the approach note that developer-side tools can be inconsistently applied, and that enforced PR checks and branch-protection rules offer more reliable controls than optional local scanning.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Rust developer releases 'matten', a beginner-friendly tensor library for prototyping

A developer has published matten, a lightweight Rust library designed to simplify working with multidimensional arrays during early-stage numerical projects. The library aims to reduce the setup complexity that comes with established tools like ndarray or nalgebra, which are better suited for production-level performance. Matten offers a single public Tensor type with no generic parameters, human-readable error messages, and built-in JSON and CSV support. It explicitly prioritizes ease of use over speed, and a companion package called matten-ndarray is available to ease migration when performance becomes a priority. The project is open source and available on crates.io, with documentation hosted on docs.rs.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Power BI Data Modeling Explained: Relationships, Schemas, and Joins

A tutorial published on DEV Community walks data professionals through the fundamentals of data modeling, relationships, and schema design in Microsoft Power BI. The guide uses an online bookstore scenario — with separate Customers, Orders, and Books tables — to illustrate how raw, scattered data can be structured into a coherent model. It explains that Power BI's Model View is where tables and their connections are visually organized, forming the foundation for reliable dashboards and reports. The article also covers joins within Power BI's Power Query Editor, detailing six join types — including inner, left outer, right outer, and full outer — and when each should be applied. Getting these foundational concepts right, the author argues, is essential before building any meaningful or trustworthy data visualizations.

0 comments Read more at DEV Community

ProgrammingHacker News ·

Insufficient source content to generate accurate headline

Insufficient source content to generate an accurate summary. The provided article text contains no substantive information beyond a URL and metadata. Fabricating details about the Sophon PFG-1 chip would violate the requirement not to invent facts. Please provide the full article text for proper summarization.

0 comments Read more at Hacker News

ProgrammingDEV Community ·

Developer Builds Fully Offline RAG Agent Using LangGraph, Ollama, and Embedded Qdrant

A developer has demonstrated how to run a complete Retrieval-Augmented Generation (RAG) agent entirely offline on a laptop, requiring no API keys, no Docker, and no cloud services. The setup uses Ollama to serve two local models — Qwen3.5:9b for chat and bge-m3 for embeddings — alongside an embedded Qdrant vector store that persists data to a local directory. A provider-swap architecture built in an earlier project phase allows switching between local and cloud backends by changing a single config variable, without modifying application code. The ingestion pipeline automatically detects the embedding dimension at runtime, ensuring the vector collection is created with the correct size regardless of which provider is active. In a test run, five markdown documents were processed into 53 chunks and stored as 1024-dimensional vectors using the fully local stack.

0 comments Read more at DEV Community