ci-cd

npm min-release-age Use npm ci, not npm install Lock down npm with .npmrc Hardening GitHub Actions Summary In late March 2026, compromised axios builds briefly appeared on the npm registry (for example 1.14.1 and 0.30.4 on affected release lines). Attackers added a malicious dependency and used lifecycle scripts so a npm install could pull down far more than an HTTP client — a pattern we have seen before in registry incidents, not a bug in axios’ normal code....

If you’ve been using Terraform Cloud for a while, you’ve probably hit at least one of these: the pricing model changed and suddenly it’s expensive, applies take 10+ minutes, or the state files have grown into something nobody wants to touch. You’re not alone — this is a recurring topic in every DevOps community right now. This post covers the main tools people are using to solve these problems in 2025–2026, with a focus on two separate issues that often get conflated: GitOps orchestration (who triggers plans, who approves applies) and state management at scale (why applies are slow and what to do about it)....

Most teams have no idea what their CI runners connect to during a build. Packages get installed, scripts run, network calls go out — and none of it is logged. That is a real blind spot. Harden-Runner from StepSecurity is a GitHub Action that monitors and optionally blocks outbound network connections at the runner level, in real time. Think of it as an EDR for your CI pipeline. It caught the axios supply chain attack in real time — any connection to sfrclak....