DAILY NEWS

Stay Ahead, Stay Informed – Every Day

Advertisement
CI is the wrong place to first hear about your npm dependencies



Your CI catches the npm vulnerability. Your developer is already three branches away and one standup behind. The package is installed, the lockfile regenerated, the import wired into a service, and the human who made that decision did it on a Tuesday afternoon with a tab open to Stack Overflow. Now the scanner is yelling.

From the terminal, that is not security. That is grief counseling.

That is the frame Sonu Kapoor lays out in a DevOps.com essay this week, and the engineering bones of it are correct.

A scanner is not a gate. It is a status check.

Kapoor’s argument is about feedback loops. A developer installs, codes, commits, pushes. Only then does CI run. By the time the finding surfaces, the decision to add the package, and the context for why, has evaporated. So has the lockfile churn that caused it. What started as “is this package safe?” becomes “fix this in a different sprint.” The scanner did its job. The fix is now a project.

He backs it with a small case study from the NestJS repo: a scan of package-lock.json returned 1,626 resolved packages and 25 vulnerabilities. Of those, 12 were directly fixable. Thirteen were transitive, buried in upstream graphs, waiting on someone else’s release. In a pipeline-first workflow, every dependency hop is a separate commit and a separate run. (Multiply by the number of services your team owns. Then by your runner-minutes budget. Send me the bill.)

The arithmetic gets ugly quickly. A single lockfile with more than fifteen hundred resolved packages is not exotic for a working Node app, it is the default. The chance that the first time anyone looks at that graph is during a pipeline run, after the merge intent is already in the reviewer’s queue, is the structural bug.

Where the essay is right, and where it gets too tidy

Concede the obvious. CI is not the problem. CI is fine. It runs uniformly, it cannot be skipped, and it is the right place to fail a build when an OSV record drops mid-week against a dependency that was clean at merge time. Validation is its native job.

The bug is treating CI as the first place anyone hears about an issue. Discovery there is a category error. You are using the post-flight checklist to taxi the plane.

So far, so unobjectionable. Where the essay gets convenient is the pitch. The cure on offer is a local CLI that Kapoor’s team ships, run against the lockfile before commit, splitting direct from transitive findings, OSV-backed. Useful, probably worth a try. Also: a tool. Tools come and go. A team can adopt this CLI today, lose interest in eight months, and the dependency problem will still be sitting in package-lock.json waiting for the next refactor.

A laptop CLI is the developer-ergonomics half of the answer. It is the half a vendor blog post is built to sell.

What actually moves the gate left

If CI is too late, the answer is not “tell the developer faster on their machine” and walk away. Laptops drift. Branches drift. The version of the scanner that ran on the senior engineer’s machine is not the version that ran on the contractor’s. A discovery step you can opt out of by closing a terminal is not a control. It is a courtesy.

What works, roughly in order of how cheap it is to set up:

A pre-commit hook that fails on a lockfile diff containing a known-bad package. Cheap, local, opt-in, fine as a first line.
A required PR check that runs the same scan against the lockfile before a reviewer is paged. Mandatory, visible inside the diff, blocking the merge instead of decorating the build.
A policy at the branch-protection layer that constrains what is allowed in the lockfile at all: license, registry source, signature, provenance. Unsigned additions to package-lock.json should not be a finding. They should be a closed PR.

Notice CI is in all three. It just stops being where you first find out.

The piece’s case study quietly makes this point against itself. When the only fix for a transitive finding is a chain of iterative upgrades, the question is not “can a developer iterate faster on their laptop?” Yes, obviously. The question is “why was a dependency with thirteen unresolved transitive issues allowed into the merge queue in the first place?”

Verdict

Kapoor is right about the asymmetry. CI is great for validation and structurally bad for discovery on a Node tree where the majority of findings can be someone else’s release schedule. If your security story today is “the pipeline will tell us,” you are not gated. You are notified.

Fix the notification step. Then fix the part where you were ever relying on it.



Source link

Stop Hardcoding Hex #d9d9d9 In Your CSS



If you open any massive legacy codebase or inspect a fresh Figma handoff, you will probably see one hex code repeating everywhere: #d9d9d9.

It’s the ultimate default. Developers use it for disabled buttons, subtle borders, card backgrounds, and dividers. But treating this specific light gray as a “safe” neutral is causing massive UI bugs in your production apps right now.

Here is why you need to stop hardcoding #d9d9d9 and how to handle it properly.

The Dark Mode Theme Breaker

****The most common mistake junior developers make is hardcoding border: 1px solid #d9d9d9; directly into their component CSS.

When your app switches to dark mode, that 85% lightness gray becomes a glaring, dominant bright line that ruins the dark UI ergonomics.

The Fix: Never hardcode this hex. Always map it to a semantic CSS variable or a design token.

CSS`/* ❌ Bad Practice */.card { border: 1px solid #d9d9d9; }

/* ✅ Good Practice /:root {–color-border-subtle: #d9d9d9;}@media (prefers-color-scheme: dark) {:root {–color-border-subtle: #3d3d3d; / Adjusted for dark mode */`}}.card { border: 1px solid var(–color-border-subtle); }

The Accessibility (a11y) TrapA lot of devs layer #d9d9d9 backgrounds with #9e9e9e text to create a “subtle” disabled state. This combination completely fails WCAG AA standards. While pure black text on #d9d9d9 passes Lighthouse audits, using gray-on-gray is an accessibility anti-pattern. If you are using it for a disabled button, you must pair it with a secondary indicator (like cursor: not-allowed or a specific icon) because color-blind users might not see the difference.
Display P3 vs. sRGB RenderingDid you know #d9d9d9 looks completely different depending on the monitor? On modern MacBooks (which use the Display P3 color space), it looks sharp and cool. But on cheaper, uncalibrated TN panels (which many of your users have), it washes out and becomes almost indistinguishable from a white background (#ffffff).

The Ultimate #d9d9d9 Developer GuideHandling gray scales properly separates mid-level devs from senior frontend engineers.

I have written a massive, deep-dive guide on everything you need to know about #d9d9d9. It includes:

How to use it with OKLCH for uniform rendering.

The exact Tailwind CSS equivalents (gray-300).

Copy-paste platform codes for SwiftUI, Jetpack Compose, React Native, and Flutter.

👉 Read the Full Developer Guide on Hex #d9d9d9 Here

(Need to quickly convert #d9d9d9 to RGB, HSL, or CMYK for your current project? Check out our (free Hex to RGB Converter tool as well)“



Source link

hack with Hyd 2.0 – DEV Community



Support bots that forget every conversation aren’t support bots. They’re expensive FAQ pages.I built SupportMind to fix that — a customer support agent that actually remembers.The architecture is two layers:Memory (Hindsight): After every interaction, the agent stores structured context in a vector namespace per user. Next session, it recalls semantically — “payment problem” retrieves “Visa charge failing” even if the words don’t match.Routing (cascadeflow): Not every query needs GPT-4. Password resets go to Groq’s free tier. Complex billing disputes escalate. Every decision is logged with model, cost, latency, and reason.The delta that matters:Session 1: “Can you tell me your card details and the error you’re seeing?”Session 3 (same user, same issue): “I see you’ve had recurring issues with your Visa ending in 4242. Last time, clearing billing cache fixed it — want to try that first?”Same infrastructure. Completely different agent.On a typical support workload: ~80% simple queries handled by the cheap model. Cost per query dropped from ~$0.012 to ~$0.002.The part I didn’t expect: routing and memory compound. When Hindsight shows a user has had the same issue four times, cascadeflow automatically classifies their next message as complex — even without explicit signals. That fell out of the architecture. 👇https://lnkd.in/gn8NwP6Z

hashtag#AIAgents hashtag#AgentMemory hashtag#Hindsight hashtag#cascadeflow hashtag#LLM hashtag#AI



Source link