https://news.ycombinator.com/user?id=robshipprHacker News RSShttps://hnrss.org/hnrss v2.1.1Mon, 06 Apr 2026 04:44:11 +0000The "too risky to deploy" problem is really a visibility problem. When you can't quickly see what's actually changing in a deploy, fear becomes the default. The teams that break out of this aren't the ones who stop shipping, they're the ones who build better signals before the deploy so engineers can ship with confidence instead of just hoping nothing breaks.

]]>Fri, 03 Apr 2026 14:56:35 +0000https://news.ycombinator.com/item?id=47627378robshipprhttps://news.ycombinator.com/item?id=47627378https://news.ycombinator.com/item?id=47627378The interesting detail from the GitHub thread is shaanmajid's observation that every legitimate v1 release had OIDC provenance attestations and the malicious one didn't, but nobody checks. Even simpler, if you're diffing your lockfile between deploys, a brand new dependency appearing in a patch release is a pretty obvious red flag without needing any attestation infrastructure.

]]>Fri, 03 Apr 2026 14:23:54 +0000https://news.ycombinator.com/item?id=47626998robshipprhttps://news.ycombinator.com/item?id=47626998https://news.ycombinator.com/item?id=47626998The interesting detail from this thread is that every legitimate v1 release had OIDC provenance attestations and the malicious one didn't, but nobody checks. Even simpler, if you're diffing your lockfile between deploys, a brand new dependency appearing in a patch release is a pretty obvious red flag.

]]>Fri, 03 Apr 2026 03:09:08 +0000https://news.ycombinator.com/item?id=47622805robshipprhttps://news.ycombinator.com/item?id=47622805https://news.ycombinator.com/item?id=47622805Second major supply chain compromise in a week after the axios npm attack. 40 minutes and 500k machines affected. SOC2 won't catch this. The real question is whether your CI pipeline would have flagged a dependency change that happened between your last build and the one going to prod. Most teams have no visibility into that window at all.

]]>Thu, 02 Apr 2026 16:59:31 +0000https://news.ycombinator.com/item?id=47617014robshipprhttps://news.ycombinator.com/item?id=47617014https://news.ycombinator.com/item?id=47617014Three hours between the malicious publish and npm pulling the versions. If your CI ran an install during that window, this went straight to prod. Most teams I've worked with still have loose version ranges somewhere in their dependency tree even if they think they've locked everything down.

]]>Wed, 01 Apr 2026 15:29:30 +0000https://news.ycombinator.com/item?id=47602218robshipprhttps://news.ycombinator.com/item?id=47602218https://news.ycombinator.com/item?id=47602218The real issue with LocalStack was always drift. Tests pass locally, then something breaks in staging because the S3 response format is slightly different or DynamoDB throttling doesn't match. After getting burned enough times we just switched to short-lived real AWS environments for integration tests. More expensive, but way fewer surprises in prod.

]]>Wed, 01 Apr 2026 02:55:48 +0000https://news.ycombinator.com/item?id=47596228robshipprhttps://news.ycombinator.com/item?id=47596228https://news.ycombinator.com/item?id=47596228This at least makes me feel like I am not going crazy when I say "Github used to be much more reliable before Microsoft bought them"

]]>Tue, 31 Mar 2026 19:47:24 +0000https://news.ycombinator.com/item?id=47592473robshipprhttps://news.ycombinator.com/item?id=47592473https://news.ycombinator.com/item?id=47592473I am very good at writing down notes, especially in meetings... I am not so great at going back to those notes. I also have an issue with jumping around to different notebooks.

]]>Sat, 31 Jan 2026 04:03:04 +0000https://news.ycombinator.com/item?id=46833322robshipprhttps://news.ycombinator.com/item?id=46833322https://news.ycombinator.com/item?id=46833322I miss his writing, I haven't seen a post by him in a while. His blog and Coding Horror are what I used to read all the time in my undergrad.

]]>Fri, 30 Jan 2026 20:35:33 +0000https://news.ycombinator.com/item?id=46829518robshipprhttps://news.ycombinator.com/item?id=46829518https://news.ycombinator.com/item?id=46829518Don't give them any ideas haha

]]>Thu, 29 Jan 2026 14:51:08 +0000https://news.ycombinator.com/item?id=46810937robshipprhttps://news.ycombinator.com/item?id=46810937https://news.ycombinator.com/item?id=46810937This is so cool. I've become more interested in aerodynamics since I've started watching F1 and reading Adrian Newey's book. This is such a great post, especially the diagrams in the velocity section.

]]>Wed, 28 Jan 2026 19:47:29 +0000https://news.ycombinator.com/item?id=46800604robshipprhttps://news.ycombinator.com/item?id=46800604https://news.ycombinator.com/item?id=46800604Incredible job here. Really took a lot of work to get this done. Keep it up.

]]>Wed, 28 Jan 2026 19:31:55 +0000https://news.ycombinator.com/item?id=46800389robshipprhttps://news.ycombinator.com/item?id=46800389https://news.ycombinator.com/item?id=46800389