danielroe 🇺🇦
LightNews LightNews
banner
danielroe.dev
danielroe 🇺🇦
@danielroe.dev
13K followers 1.9K following 4.3K posts
🏡 https://roe.dev
➕ building @nuxt.com • @nitro.build • https://elk.zone
💝 https://page-speed.devhttps://firstcommit.ishttps://react-to-nuxt.com
🏅 Google GDE • Microsoft MVP • GitHub ⭐️

signal: danielroe.57

🧗‍♂️ ⛷️ 🚴‍♂️ ✝️

📍 edinburgh 🏴󠁧󠁢󠁳󠁣󠁴󠁿
Posts Replies Media Videos
danielroe.dev
don't let me stop you!!
November 12, 2025 at 9:52 PM
danielroe.dev
is that just one of your font folders or...
November 12, 2025 at 9:49 PM
danielroe.dev
you are extremely close
November 12, 2025 at 9:40 PM
danielroe.dev
but you've just given the game away so we can all judge

😈
November 12, 2025 at 9:40 PM
danielroe.dev
i know which one i like
November 12, 2025 at 8:56 PM
danielroe.dev
you probably need to check your dns to make sure the atproto txt record is correct
November 12, 2025 at 6:42 PM
danielroe.dev
🤫 you have to ... write react
November 12, 2025 at 5:52 PM
danielroe.dev
💯
November 12, 2025 at 5:51 PM
danielroe.dev
you can contribute or view source here

👉 github.com/stackblitz-l...
November 12, 2025 at 5:20 PM
danielroe.dev
... and yes, it must be considering prerelease versions, which _do_ have provenance (but the final versions don't)
a screenshot of npmjs package versions for typescript-eslint. the alpha versions have the green checkmark indicating provenance, but the 8.32.1 release does not. 8.32.2-alpha.0 0 6 months ago 8.32.1 360,408 6 months ago 8.32.1-alpha.8 0 6 months ago 8.32.1-alpha.7 0 6 months ago
November 11, 2025 at 11:24 PM
danielroe.dev
the issue is that `[email protected]` (or `[email protected]`, which it sometimes also throws at in this particular example) is _already_ in the lockfile (ie. has been determined safe by me)

I don't want it to _downgrade_ but it's just refusing to install packages that were already installed
November 11, 2025 at 11:22 PM
danielroe.dev
no, I treat them more as a signal to be consumed by stuff like socket.dev or renovatebot.com.

the _loss_ of provenance I treat as a signal to investigate.
November 11, 2025 at 11:20 PM
danielroe.dev
here's an example

github.com/danielroe/ro...
chore(deps): update dependency @portabletext/types to v3 by renovate[bot] · Pull Request #1761 · danielroe/roe.dev
This PR contains the following updates: Package Change Age Confidence @portabletext/types ^2.0.13 -> ^3.0.0 Release Notes portabletext/types (@​portabletext/types) v3.0.0 Compare S...
github.com
November 11, 2025 at 10:42 PM
danielroe.dev
you mean, do i verify them on a new release?
November 11, 2025 at 8:12 PM
danielroe.dev
enough that i’ve had to stop using the feature due to false positives (like chokidar)
November 11, 2025 at 7:30 PM
danielroe.dev
i think exceptions should be not just by package name but by name and version
November 11, 2025 at 7:00 PM
danielroe.dev
i feel like enabling a ‘ratchet’ (eg always more secure than before) is the better way to improve supply chain security
November 11, 2025 at 7:00 PM
danielroe.dev
that just makes it impossible to use at the moment
November 11, 2025 at 6:58 PM
danielroe.dev
i need to see if i can reproduce but my assumption is that this prevents install if _any_ previous version had stronger provenance

but i want it to prevent install only if in _this_ lockfile change there is a regression
November 11, 2025 at 5:43 PM
danielroe.dev
actually, I may have spoken too soon.

I've had to revert switching to pnpm's native solution, personally, as it seems to be over-eager to trigger 🤔
November 11, 2025 at 4:57 PM