CodeRabbit left keys for one million repos
Also lawnmowers and forgotten markup languages.

The Intern Accidentally Gave Everyone `sudo rm -rf /`

The automated code review service CodeRabbit had a classic "leave the keys under the doormat" kind of oopsie this week, the details of which were laid out by researchers at Kudelski Security. The vulnerability allowed for Remote Code Execution and write access across an estimated one million GitHub repositories.

It turns out that when you build a bot to review code, you should probably check where that bot is getting its dependencies from, otherwise, you enable a dependency confusion attack, giving bad actors the power to edit repositories as if they were the system's primary user. Management has already sent out a passive-aggressive email reminding all employees that "shared secrets" should not be on a Post-It note attached to the server rack.

Robotic Lawn Care Is Now A Project, Not a Product

A project called OpenMower promises to bring the joy of a Linux-first, RTK-GPS-enabled autonomous system to the grass-cutting vertical. While most people just want a robot that cuts the grass without getting stuck on a sprinkler head, the developer, Clemens Elflein, decided the only sane approach was to treat his yard like a mission-critical Mars rover deployment.

The documentation suggests a powerful hardware stack is required, meaning your Saturday afternoon chore is now a multi-weekend engineering effort. This is the ultimate Silicon Valley problem; we have replaced the simple mechanical solution with a complex digital one, just so we can write an abstract about it and complain about the inevitable GPS drift.

HTML Specification Committee Finally Cleans Out The Attic

In a move that clarifies decades of technical debt, the HTML Living Standard committee is attempting to remove mentions of XSLT from the specification itself. XSLT, which is Extensible Stylesheet Language Transformations, is essentially a technology that was abandoned by browsers circa 2010 but still somehow persisted in the official documentation like a ghost in the server room.

The discussion thread accompanying the Pull Request is an exhaustive, 535-comment digital meeting that proves you cannot just delete old things without consulting a dozen people who have strong opinions on why the dead thing must stay dead in a very specific way. This is not innovation, this is digital paper-shredding; a vital, but deeply boring, aspect of corporate infrastructure maintenance.

Briefs

• The SSO Tax: Turns out that having a single sign-on feature for your entire enterprise is now considered a luxury item, like a private jet or working air conditioning. The industry insists that locking you into proprietary identity systems is the real value add.
• Creative Re-purposing: Someone has successfully demonstrated how to use the ancient text editor Emacs as a fully functional video-trimming tool. This is the tech equivalent of using a screwdriver to open a beer bottle; it works, but it causes everyone who sees it to have a mild panic attack.
• Notion's Big Reveal: The productivity platform Notion finally released an offline mode, a feature that has been standard in all desktop software since 1995. This is what passes for ground-breaking innovation in the SaaS space; selling you the ability to use your own computer when the Internet fails.