
GitHub source code exposure rarely starts with the platform itself, it starts with something trusted too much. I care less about the headline breach than the awkward bit underneath, where a third-party tool quietly becomes the bridge into files, tokens, and repo history.
n8n 2 27 3: default Form Trigger auth prevents legacy crashes, UI hides preview suggestions on small screens, notes add stage review and tooling badges

Inspektor Gadget OCI images sound harmless until a build value slips into shell syntax and the pipeline starts executing it for you. I prefer build steps that stay boring, because once they stop being boring, you are usually already in trouble.

Prototype pollution in Adobe Acrobat PDF code paths is not a neat edge case, it is what happens when privileged JavaScript trusts the wrong shape of data. I keep coming back to the same point, undeclared variables, `eval`, and sloppy string handling all hand an attacker room to steer the code.
Talos Linux v1 13 5: security upgrades, kernel 6 18 36, containerd 2 2 5, Go 1 26 4, Kubernetes images updated, bug fixes, report issues
Talos v1135: kernel 61836, containerd 225, runc 143, security and stability updates, shutdown fixes, LUKS and reboot edge case fixes, test and report issues
n8n v2 26 9: maintenance patch, stage review badge for PR review, Cubic auto release notes, check GitHub compare for diffs before upgrading

AI pentesting is useful when it speeds up the grunt work and leaves judgement where it belongs. I care less about noisy findings than about whether a small mistake can be chained into a working path, because that is where the real test starts.

corecrypto formal verification is useful right up to the point where the code stops being plain C. I trust the proof more than the marketing, but only if the compiler output still looks like the model; once the fast paths and silicon features take over, the neatness falls away.
Gitea v1 26 4: prevents OAuth2 auto reactivation of disabled users, improves git log walk error handling, Gitea Cloud instances auto upgraded June 21 2026
Gitea v1 26 4: prevents OAuth2 callbacks reactivating disabled users, fixes git log traversal errors, Gitea Cloud auto upgrades, self hosted instances update

Public repos are brilliant at preserving bad decisions, and AWS GovCloud credentials are exactly the sort of thing that should never survive a commit. Once they are out, the clean-up is only half the job; the harder part is admitting how many places the same mistake has already reached.
Gitea v1 26 3: Actions require merged PR to bypass fork gate, workflow fixes, security hardening, LFS and API bugfixes, build and deps updates
Gitea v1 26 3: Actions now require a merged PR to bypass fork PR approval gate, security hardenings and bugfixes, upgrade strongly recommended
ESPHome 2026 6 2: normalize espidf tool paths, fix RMT5 interrupt priority in fastled, mark packet transport key secret, bundle device builder 1 0 12

Consumer routers are still being dragged into IoT botnets because the easy mistakes never went away, default logins, exposed admin pages, and forgotten services. I would rather spend ten minutes hardening a box now than find out later it has been busy for someone else.

AWS GovCloud credential leakage is not a tidy mistake, it is a time problem. Once a secret hits public GitHub, I treat revocation, search, and handoff as one job, because leaving even one copy alive keeps the mess going.
n8n 2 26 8: fixes Form Trigger crash by adding default auth parameter, backward compatible, upgrade recommended, test Form Trigger workflows after update
ESPHome 2026 6 1: fixes address resolution, skips target deps in host tests, ESP32 idedata, preserve factory bin, logger recursion guard, timestamp revert
HomeAssistant Core 2026 6: critical fixes for Growatt InfluxDB Immich zwave js MQTT WebDAV Tank Utility, integrations, translations, deps and frontend updates
Cloudflare WAF rule merge changes more than a label, and I have seen neat alerting fall apart because the detection moved, not because the noise went away. If you are counting rule IDs, you may be looking at bookkeeping, not behaviour.
Argo CD v3 4 4: fast kubectl install for non HA and HA, cosign signed images and provenance, key bug fixes, upgrade guidance and full release details
headscale v0 29 1: requires Tailscale client v1 80 0, fixes migration preserving user id for nodes with tags:null, follow official upgrade guide
Argo CD v3 4 4: quick start and HA install commands, signed images and SLSA 3 provenance, key fixes, upgrade guidance, CI and test maintenance
headscale v0:29:1, preserves user assignment for nodes with tags null, fixes upgrade bug that lost user id, min Tailscale v1:80:0, follow upgrade guide