https://antolinez.ch/2026-05-27T11:15:00+00:00Felipe Antolinez2026-05-27T11:15:00+00:002026-05-27T11:15:00+00:00https://antolinez.ch/2026/May/27/dependency-cooldowns/#atom-tag

<p>Dependency cooldowns are a highly effective way to mitigate supply-chain attacks, which have become a lot more frequent recently. And because it’s such a simple strategy to implement, I think that every project should adopt it.</p> <p>Once a malicious release of a popular package is published, the attacker’s window of opportunity is usually less than a week before it’s detected. Therefore, <a href="https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns">as William Woodruff showed</a>, adding a one- or two-week cooldown period before adopting any new release would have prevented most of the prominent supply-chain attacks in recent months.</p> <p>Implementation in uv for Python is as simple as adding this one line to your <code>pyproject.toml</code>:</p> <p><code>toml exclude-newer = "1 week"</code></p> <p>Dependabot, Renovate, and pnpm all have equivalent features.</p> <p>One common pushback against this strategy is that it stops working if everyone adopts it, but I don’t think this is correct. Compromised releases get caught quickly, not because they are used in a real exploit first, but because there are researchers actively looking for them.</p> <p>Dependency cooldowns, of course, don’t catch all supply-chain attacks, but for a one-line config change, they offer a lot of protection.</p> <p><a href="https://www.linkedin.com/posts/felipeantolinez_we-should-all-be-using-dependency-cooldowns-activity-7465359920830545920-NzXN">View the original LinkedIn post</a></p> <p>Tags: <a href="https://antolinez.ch/tags/linkedin">linkedin</a>, <a href="https://antolinez.ch/tags/security">security</a></p>

2026-02-17T13:00:00+00:002026-02-17T13:00:00+00:00https://antolinez.ch/2026/Feb/17/coding-agents-secrets-env-files/#atom-tag

<p>If you're using Claude Code or other coding agents, check whether they have access to your secrets. Many developers assume .env files are protected by default, but they are not.</p> <p>In Claude Code, the interactive permission prompt is the only barrier, and it's easy to click through without thinking. To fix this, you can add a deny rule in your global Claude Code settings (see screenshot).</p> <p>It takes 30 seconds to set up, and it's the kind of thing you only think about after something goes wrong.</p> <p><img alt="Claude Code deny rule settings for .env files" src="https://res.cloudinary.com/dc7ady43d/image/upload/w_1200,f_auto,q_auto/v1771322887/blog/voqrtneqejletnz8gxyi.png" /></p> <p><a href="https://www.linkedin.com/posts/felipeantolinez_if-youre-using-claude-code-or-other-coding-activity-7429510021409054721-Lby_">View the original LinkedIn post</a></p> <p>Tags: <a href="https://antolinez.ch/tags/linkedin">linkedin</a>, <a href="https://antolinez.ch/tags/coding-agents">coding-agents</a>, <a href="https://antolinez.ch/tags/ai">ai</a>, <a href="https://antolinez.ch/tags/security">security</a></p>