Jamie Magee

Routle - King County Metro
02/27/2026
🟥 🟥 🟥 🟥 🟥

www.routle.city/king_county_...

Hot take: package provenance (npm, pypi, etc.) should be a one-way street.

You should have to bump a major version to publish without it.

Routle - King County Metro
02/26/2026
🟩 ⬛ ⬛ ⬛ ⬛

www.routle.city/king_county_...

Routle - King County Metro
02/25/2026
🟥 🟩 ⬛ ⬛ ⬛

www.routle.city/king_county_...

Meet Boop, the New ORCA Card Companion - myORCA Meet Boop, the friendly companion for ORCA. Boop was named after the sound ORCA card readers make when you tap on to your ride.  Boop has always loved exploring the beautiful waters around Seattle and...

I reserve that for when I boop my orca card

info.myorca.com/news/meet-bo...

Even better: 1ES has been explicitly asked to WFH the whole week before because they're moving us from B18 to B17

A dependabot PR updating idunno.Bluesky from 1.5.0 to 1.6.0

Skill issue

Come, Sir Andrew, there’s no remedy

Squidward watching SpongeBob and Patrick running meme

Me Eagerly awaiting Judkins Park Station opening

npm bulk trusted publishing config and script security now generally available - GitHub Changelog Two new features are available today in npm CLI v11.10.0+: Bulk configuration for OIDC trusted publishing: Maintainers can now add or update trusted publishing configurations across multiple packages ...

npm saw your pain

github.blog/changelog/20...

Multi Mount System Elgato

It's a pain, but I've had good success with Elgato's mounts

www.elgato.com/us/en/s/mult...

A false positive, technically. But a provenance gap got caught, the maintainer fixed their workflow, and downstream users get properly attested packages. I'll take it!

GitHub issue tighten/ziggy#871 @JamieMagee: v2.6.0 is the first release in a while without provenance attestation on npm: npmjs.com/package/ziggy-js?activeTab=versions Looks like the Publish workflow run for v2.6.0 failed, so I'm guessing the package was published manually without --provenance. All prior versions (2.5.3, 2.5.2, etc.) have it. Not a security issue, just a heads-up. Tools like Dependabot have started flagging when attestation disappears between versions, so downstream users may see warnings on this release. Worth re-publishing 2.6.0 with npm publish --provenance from CI, or just making sure 2.6.1+ goes through the workflow again. @bakerkretzmar: Thanks a lot for flagging this! Can't remember why the release workflow failed but yeah I published 2.6.0 manually so that's why it's missing. Can't re-publish but will make sure 2.6.1 works, I'll leave this open until then. @bakerkretzmar: Fixed, after several attempts 😅 @JamieMagee: Thank you!

Looked into it and it wasn't malicious. Their CI publish workflow had failed, so the maintainer published v2.6.0 manually and forgot --provenance. Opened an issue, they said thanks for the heads up, and shipped v2.6.1 through CI with provenance restored.

npm version history of ziggy-js. Version 2.6.1 and 2.5.3 have a green checkmark, version 2.6.0 doesn't.

Shipped it on Thursday. By Friday it had already flagged something: ziggy-js v2.6.0 published without provenance. Every version back to v1.8.2 had one. Here we go, I thought.

The eslint-config-prettier compromise last year had a tell: the malicious versions were published to npm without provenance attestation, while the legit ones all had it. So I added a check to Dependabot that warns when a package loses its provenance between updates.

GitHub - JamieMagee/ha-specialized-turbo: Home Assistant integration for Specialized Turbo e-bikes via Bluetooth LE Home Assistant integration for Specialized Turbo e-bikes via Bluetooth LE - JamieMagee/ha-specialized-turbo

Built a Home Assistant integration for Specialized Turbo e-bikes. Battery health, motor power, speed, cadence, odometer, etc. All over Bluetooth, all local. Works with 2017+ models with TCU. Install via HACS.

#HomeAssistant #ebike #BLE #SmartHome

github.com/JamieMagee/ha-specialized-turbo

I cycle over the I90 bridge daily for my commute, and there is no better advertisement for the 2 Line than seeing the train sail past bumper to bumper traffic.

$ go install golang.org/dl/go1.26.0@latest $ go1.26.0 download Downloaded 0.0% ( 0 / 63102509 bytes) ... Downloaded 50.0% (31551254 / 63102509 bytes) ... Downloaded 100.0% (63102509 / 63102509 bytes) Unpacking go1.26.0.openbsd-arm64.tar.gz ... Success. You may now run 'go1.26.0' $ go1.26.0 version go version go1.26.0 openbsd/arm64

🎆 Go 1.26.0 is released!

🗒️ Release notes: https://go.dev/doc/go1.26

⬇️ Download: https://go.dev/dl/#go1.26.0

#golang

Announcing TypeScript 6.0 Beta - TypeScript Today we are announcing the beta release of TypeScript 6.0! To get started using the beta, you can get it through npm with the following command: npm install -D typescript@beta TypeScript 6.0 is a uni...

TypeScript 6.0 beta is now published!

This release brings

- inference improvements for functions
- updates to package.json 'imports'
- the Temporal APIs
- alignments for the upcoming TypeScript 7.0
- & more!

Try it today!

devblogs.microsoft.com/typescript/a...

👀

Dependabot now supports OIDC authentication

https://github.blog/changelog/2026-02-03-dependabot-now-supports-oidc-authentication

The Dependabot Proxy is now open source with an MIT license

https://github.blog/changelog/2026-02-03-the-dependabot-proxy-is-now-open-source-with-an-mit-license

Dependabot now supports OIDC authentication - GitHub Changelog Dependabot can now use OpenID Connect (OIDC) to authenticate with private registries, eliminating the need to store long-lived credentials as repository secrets. What’s new With OIDC-based authenticat...

🔐 PASSWORDS? WHERE WE'RE GOING WE DON'T NEED PASSWORDS 🔐

STRAP IN SECURITY FANS: Dependabot just learned how to authenticate WITHOUT storing secrets, and your security team is about to ugly-cry with joy! 😭🎉

OIDC SUPPORT HAS LANDED!

github.blog/changelog/20...

GitHub - dependabot/proxy Contribute to dependabot/proxy development by creating an account on GitHub.

🚨CODE RED (BUT LIKE A GOOD RED): WE JUST OPEN SOURCED THE DEPENDABOT PROXY🚨

Attention Dependabot fans and security nerds: The Dependabot Proxy just escaped from its private repo and is now LOOSE ON THE INTERNET under the MIT license!

github.com/dependabot/p...

close up of Rapid Ride logo on a G Line bus in Seattle

🚌 Today is the first time Seattle transit riders can pay the fare with a credit card or smartphone
The new feature launches on Rapid Ride G, and will be rolled out across the bus system in the coming weeks
📲 I wish I was in Seattle this week to try it out!
🙋‍♂️ Give it a try & tell me about it here

There is no better advert for the 2 Line than seeing it fly past bumper to bumper traffic on the I-90 bridge.

A screenshot from the USDA food atlas page showing the area around 23rd & Jackson highlighted in orange for being "Low income and low access at 1/2 and 10 miles"

We're back to that area being a food desert again

gisportal.ers.usda.gov/ers/GIS_FARA...

💚💙SUPER BOWL 💙💚
💚💙SUPER BOWL 💙💚
💚💙SUPER BOWL 💙💚
💚💙SUPER BOWL 💙💚
💚💙SUPER BOWL 💙💚
#GOHAWKS

Crosslake Connection | Sound Transit

Say hello to a truly connected region on March 28! The Crosslake Connection is opening two new stations and a world of new possibilities for the Eastside, Seattle and beyond. 🚊✨
 
Explore this highly anticipated new connection and get ready to ride! 🎉

www.soundtransit.org/crosslake

The GitHub Copilot SDK is here 🙌

You can take the same Copilot agentic core that powers GitHub Copilot CLI and embed it in any application, with just a few lines of code.
github.com/github/copil...