Backlog
Ideas for future improvements. Priority: high / medium / low. Sourced from competitive analysis (Socket, OSV.dev, GHSA, ahrefs.com, simonwillison.net, news.ycombinator.com, Mintlify docs, Anthropic docs, Vercel/v0 changelogs). The 2026-06-01 research batch below also draws on Sigstore, deps.dev, OpenSSF Scorecard, FIRST EPSS, CISA KEV, the OSV schema, purl/PEP 740, pnpm/npm/uv docs, and the Internet Archive.
High
- Client-side search.
search.jsonalready ships; needs a 200-line UI (search box in the topbar, fuzzy match via fzf-lite or pagefind). Patterns to imitate: news.ycombinator.com, OSV.dev. Make it instant on type (< 50ms), keyboard-driven (/to focus), and accessible (ARIA live region). - Filter chips on
/alerts.htmland/advisories/. Filter by severity, status, ecosystem, tool. State in URL hash so filters are shareable. Pattern: GHSA and Socket Threat Feed. - Weekly sweep cadence. Document who refreshes
ALERTS.mdweekly and how. Add a visibleLast swept: YYYY-MM-DDon every page so staleness is immediately visible. scripts/check-lockfile.sh— readspackage-lock.json/yarn.lock/pnpm-lock.yamland greps for IOCs from the current advisory corpus. Output:OKor list of matches with advisory links. CLI version of what Socket does, scoped to this repo's data.- Per-tool quick-reference cards. "If you use Cursor, read these 4 advisories." "If you use Claude Code, these 5." Reduces cognitive load and is highly shareable.
Medium
- GitHub Action: RSS-to-issue. Poll Socket / Snyk / GHSA RSS, open a
new-advisoryissue when a relevant item appears. Filter by package popularity (>100k weekly downloads) or specific ecosystems to keep noise down. - CLI tool (
npx vcs-check) that wrapsnpm installand warns if the package appears in ALERTS or has been flagged. (Subset ofnpq, scoped to this repo's data.) - MCP server for the data. Expose advisories + playbooks as an MCP server so AI agents can query them inline:
tell me if I should install <pkg>. Highly on-theme; would dogfood the patterns we recommend in prevention/mcp-hygiene.md. - Browser extension that overlays a warning on npm/PyPI package pages when the package matches an advisory IOC. Inspired by Socket's browser extension.
- Per-package detail pages.
/packages/axios.htmlaggregating every advisory that mentions axios. Cross-links from advisory bodies. - Per-CVE detail pages. Similar, for
/cve/CVE-2026-30615.html. - PyPI parity. Most current advisories are npm-flavored. Bring more Python-specific hardening into prevention/ (
pip --require-hashes,pip-audit,safety,cosign-signed wheels). - Newsletter / email digest. Buttondown or Substack mirror of new advisories. One-tap subscribe button.
- Visualizations. Chart of advisories per month (bar), ecosystem distribution (donut). Pattern: HoneypotIO, CISA KEV catalog charts. Avoid heavyweight libraries — vanilla SVG.
- Webhook integration. POST advisory updates to a Slack / Discord webhook (configurable per consumer).
- Internationalization. At least Spanish / Mandarin / Hindi for the top 5 advisories. Big vibe-coding audiences there.
Low
- JSON export of the advisory metadata beyond
advisories.json— formats like CSV, NDJSON for downstream pipelines. - OSV.dev contribution. Where possible, push our IOC data back into OSV so the broader ecosystem benefits.
- Stickers / printables. A laminated 1-pager of the "60-second package vetting checklist" you can tape to a monitor.
bin/new-advisoryscaffold script that copies the template and pre-fills the frontmatter from CLI args.- Per-advisory timeline component. Visual horizontal timeline (disclosed → patched → contained).
- Dark/light toggle button. Auto detection is already there; an explicit toggle lets users override.
Cmd-Kpalette. Quick jump to any page. Pattern: Mintlify docs, Vercel dashboard.- Print stylesheet refinement. Add a QR code linking to the canonical URL in print output (useful for paper handouts at meetups).
- Backup mirror on a different host (Cloudflare Pages? Vercel?) so the site survives GitHub Pages outages.
- OG:image generator. Per-page social-share image generated at build time (title + severity badge + last-updated). Inspired by vercel/og-image.
- GitHub Action that runs
linkcheckerweekly against the deployed site and opens an issue if any link is broken (we already have internal-link validation; this catches external rot).
Supply-chain & download-safety ideas (2026-06-01 research pass)
A focused batch researched on 2026-06-01, weighted toward the maintainer's priority: helping a developer decide whether and how to safely install something from the internet. Deduplicated against the lists above (client-side search, filter chips, per-package/CVE pages,
npx vcs-check,check-lockfile.sh, browser extension, PyPI parity, OSV.dev contribution, linkchecker are already captured there — items below either extend or don't overlap them). Each item tagged (priority · effort). Verify any post-cutoff tooling/version claim against current docs when implementing.
Verify-before-you-install (the priority theme)
- Consumer-side provenance / attestation verification guide. A new
prevention/page on how to check an artifact's build origin before trusting it — the missing counterpart to our existing publish-provenance docs, and the single biggest gap for the "downloading from the internet" model. Exact commands:npm audit signatures(verifies registry signatures + Sigstore provenance for the installed tree),gh attestation verify <file> --repo <org>/<repo>, PyPI/PEP 740pypi-attestations verify pypi --repository <repo> <file-url>,cosign verify-blob-attestation. (high · low) — npm audit, gh attestation verify, PyPI attestations. - Refresh
prevention/npm-hardening.mdfor the 2026 npm cooldown + publishing changes. npm 11.10+ ships a nativemin-release-agesetting (in days, via.npmrc) that supersedes the doc's currentnpm config set beforetrick — and npm errors if you combinemin-release-agewith--before. Also note the new 2FA-gated/staged publishing (blocks stolen-CI-token publishes — the Shai-Hulud vector). (high · low) — npm/cli, GitHub: a more secure npm. - Dependency-cooldown matrix across every package manager. One shareable table — npm
min-release-age(days), pnpmminimumReleaseAge(minutes; default 1440 in v11), YarnnpmMinimalAgeGate, BunminimumReleaseAge(seconds), uvexclude-newer, pip (no native →--require-hashes+ pinned lockfile). Most 2025–26 attacks had a takedown window under a week, so "don't install anything published in the last N days" is the cheapest high-impact defense. (high · low) — cooldowns.dev, Datadog: dependency cooldowns. - Web "paste your lockfile / SBOM" checker. Client-side, no backend: paste a
package-lock.json/pnpm-lock.yaml/requirements.txt(or a CycloneDX/SPDX SBOM) → cross-check everypackage@versionagainst this repo's IOC corpus → list matches with advisory links. The in-browser complement to the plannedscripts/check-lockfile.sh. (high · medium) - pnpm "secure defaults" recipe. A "switch to pnpm and paste this" config block:
minimumReleaseAge, anallowBuildsallow-list (lifecycle scripts blocked by default),blockExoticSubdeps: true,trustPolicy: no-downgrade. Lowest-effort high-impact move for a solo dev — covers cooldown + scripts + provenance-downgrade in one file. (medium · low) — pnpm supply-chain security. - Slopsquat / typosquat name-check. For any LLM-suggested package, confirm it actually resolves (
npm view/pip index versions) and isn't a 1–2 edit-distance neighbor of a far more popular package. ~20% of LLM-suggested package names are hallucinated and attackers pre-register the predictable ones — squarely the AI-coding threat model. Ship as a mode of the plannedvcs-checkCLI. (medium · medium) — CSA slopsquatting note, Snyk. - Trust-signals panel on package pages (build-time, cached). Surface the heuristics that predict malice: days-since-first-publish, has-install-script, maintainer count, OpenSSF Scorecard score, typosquat flag. deps.dev + Scorecard serve free no-auth JSON — fetch once at build, cache to disk, treat a fetch failure as "no data" (never break the build). (medium · medium-large) — deps.dev API, OpenSSF Scorecard.
Machine-readable IOC & advisory data (so the tools you already run flag these incidents)
- Structured IOC + affected-package frontmatter (+ schema/validator update). The enabler for everything below. Add optional frontmatter —
cves,cwes,cvss(vector string),affected_packages(ecosystem / name /purl/bad_versions/fixed),iocs(domains / ips / sha256 / accounts) — since today these facts live only in advisory prose (scraping prose is noisy: citation domains mix with real C2). Back-compatible (additionalProperties: true); main cost is back-filling existing advisories, so front-load new ones. Mind purl gotchas: npm scopes encode@→%40, PyPI names lowercase and_→-. (high · medium) — OSV schema, purl spec. - OSV-format export + register as an OSV.dev data source. Emit
osv/<id>.json+ anall.zipso OSV-Scanner and the whole osv.dev ecosystem ingest these advisories automatically (scope to incidents with a realpackage@version; leave agent/MCP/CVE-only ones minimal). Then submit the feed as an osv.dev data source — they explicitly invite third-party DBs. Concretizes (and supersedes) the existing low-priority "OSV.dev contribution" item. (high · medium-high) — OSV schema, OSV data sources. - Consolidated
iocs.json(+.ndjson,.csv) indicator feed. One record per indicator (package@version as a purl, C2 domain, IP, SHA-256, npm account) withadvisory_id/url/first_seen/severity/tags.curl | jq-able: grep a lockfile, seed an allow/deny list, import to a SIEM — no SCA tool required. Distinct from the existing generic metadata export (advisory rows vs. indicators). (high · medium) - CVSS-vector + CWE + EPSS + CISA-KEV enrichment. Store CVSS vector strings (not just the number) and CWE IDs; fetch EPSS exploit-probability and CISA-KEV membership at build time and badge advisories accordingly ("In CISA KEV" is the strongest urgency signal there is). Stamp an "as of" date — EPSS/KEV drift daily; cache, never hardcode. (medium · low-medium) — FIRST EPSS API, CISA KEV (JSON mirror).
- Embeddable shields.io verdict badge. Emit a tiny per-package JSON matching the shields endpoint schema so a maintainer can drop
in a README → "flagged: malware" / "no known incident". Free distribution + backlinks, at the point of decision. (low · small, after the lookup index) — shields endpoint badge. - (Considered — deferred) OpenVEX / STIX-TAXII / MISP feeds. Researched and valid, but aimed at SBOM pipelines (VEX) and SOC / threat-intel teams (STIX/MISP), not this site's solo-dev audience — and OSV already conveys "affected". TAXII also implies a live server (anti-static). Revisit only if a real consumer asks; a static MISP feed (
manifest.json+ per-event JSON +hashes.csv) is the only one worth eventual consideration.
Make the site itself verifiable (practice what we preach)
- ✅ Done (2026-06-01) — Pin GitHub Actions to commit SHAs + minimize workflow
permissions:.deploy-site.ymlnow pins all four actions to 40-hex commit SHAs and scopes permissions per job (build:contents: read;deploy:pages: write+id-token: write). Shipped alongside the new ci-cd-hardening.md guide. Remaining follow-up: add.github/dependabot.yml(github-actionsecosystem) to keep the pins current — see the Dependabot item below. — pinact, OpenSSF CI/CD hardening guide. - Content-integrity manifest (
dist/integrity.txt). ~15 lines inbuild.py: SHA-256 of every published file, written last, so anyone can verify the bytes they received match what was published — the static-site equivalent of build provenance, exactly on-mission for a "trust what you download" site. Link fromsecurity.html; assert completeness invalidate.py. (high · low) - Source archival / anti-link-rot. At build/CI time, POST each cited source URL to the Wayback Machine "Save Page Now" (respecting the 1.5–2s/host rule), store the snapshot URL, and render an "📦 archived" link beside each live citation. Advisories live or die by citations that 404; this keeps every claim verifiable. (high · medium) — Wayback Save Page Now, waybackpy.
- Hash-pin the site's own Python deps + Dependabot.
uv pip compile --generate-hashes→requirements.lock, installed withpip install --require-hashes; add.github/dependabot.ymlwatchingpip+github-actions(auto-bumps the pinned SHAs above). (medium · low) — pip secure installs. - CI hardening gates.
zizmorto lint our own workflows (catches unpinned actions + injection — guards the 2026-06-01 SHA-pinning from silently regressing; cheapest, do first), OpenSSF Scorecard action + README badge (verifiable third-party trust signal), a CSP<meta>tag (easy — zero third-party requests — with an honestsecurity.htmlnote that GitHub Pages can't set real HTTP headers /frame-ancestors), and quality gates: Lighthouse CI perf+a11y budget (enforces "minimize page weight"), pa11y/axe,html-validate,cspellover advisories. (low-medium · medium) — scorecard-action, lighthouse-ci-action, pa11y-ci.
Deploy reliability & content gaps (2026-06-19 follow-ups)
Surfaced while fixing a 2-week deploy outage (broken internal links failed
validate.pyon every sweep 2026-06-04 → 06-19; live site frozen at 2026-06-03). Fix shipped; these are the durable follow-ups.
- Pre-commit guardrail in the sweep skill (DONE — skill + CI-on-PR; a git hook is the remaining option). The skill mandates running
build.py → validate.py → pytestbefore committing, and.github/workflows/ci.ymlnow runs that same gate on everypull_request(so a PR can't merge red — previously onlypushtomainwas gated, bydeploy-site.yml). Still worth adding a localpre-commit/pre-pushhook so a future automated sweep that commits straight tomain(bypassing PRs) can't skip the gate either. (medium · low) - Add external-link checking to CI.
tools/check-external-links.pynow exits non-zero on404 + no Waybackand ignores localhost/private/test URLs, so it can gate. It's not inci.ymlyet because it's network-dependent (flaky in CI) and slow (~1.8s/URL). Options: run it only on advisory files changed in the PR (git diff --name-only), nightly, or as a non-blocking annotation. (medium · medium) - Trim historical-status advisories from
llms-full.txt/llms-ctx.txtat build time. The size caps were bumped again (50→64KB / 640→896KB / 96→128KB) butllms-full.txtis ~790KB (~200K tokens) and has outgrown "one Claude paste." Real fix: excludestatus: historical(and maybepatchedolder than N months) from the concatenated files, keeping them in per-page mirrors. Stops the cap-bumping treadmill. (high · medium) - Auto-bump (or assert)
README.md"Last full sweep". It drifts behindALERTS.md"Last refreshed" because daily sweeps don't touch it (was 2026-06-12 while ALERTS said 2026-06-19). Either derive it inbuild.pyor add avalidate.pycheck that the two dates match. (medium · low) - Author the playbooks the sweeps keep wanting. Broken links pointed at non-existent playbooks that are clearly desired by advisory authors — write them and re-point:
playbooks/if-you-ran-malicious-postinstall.md(referenced 4×: postinstall/build-script credential theft),playbooks/if-your-local-ai-agent-was-exploited.md(Cline/OpenCode-class 1-click RCE),playbooks/if-your-webapp-was-compromised.md(RCE in a deployed app),playbooks/if-you-ran-an-unpatched-ai-framework.md(Langflow/LiteLLM-class — rotate every brokered provider key). (medium · medium) prevention/prompt-injection-defense.md— the biggest prevention gap. ~8 advisories are injection-class (InversePrompt, Comment-and-Control, CurXecute/MCPoison, Agentjacking, TrapDoor, ClawHavoc, PromptSnatcher) but there's no prevention doc. Cover: lethal-trifecta framing, "two parsers one string" class, agent-config files as a write-target (grep.cursorrules/CLAUDE.md/AGENTS.md/SKILL.md/.github/copilot-instructions.mdfor zero-width/bidi/variation-selector Unicode and diff on every dep change), MCP tool-description/tool-definition poisoning, and the CSA "Agent Context Poisoning: SKILL.md" note. (high · medium)- Bump deploy-workflow actions off Node 20.
deploy-site.yml's SHA-pinnedactions/checkout,actions/setup-python,actions/upload-artifacttarget Node 20 (deprecated; currently force-run on Node 24). Re-pin to current major SHAs before GitHub drops the Node-20 compat shim. Coordinate with the existing SHA-pin +dependabot.yml (github-actions)backlog item. (medium · low)
Considered but not doing
- Comments on advisories. Spam risk vs. signal. People can open GitHub issues.
- Login / user accounts. Defeats the point of "static + cheap + boring."
- A custom domain.
pranava0x0.github.io/vibe-coding-security/is fine and avoids the indirection.
Source patterns we deliberately adopted
| Pattern | Source |
|---|---|
llms.txt + llms-full.txt index/export split |
Anthropic docs via Mintlify |
Per-page .md mirror |
Mintlify auto-generation — used by Anthropic, Cursor, Coinbase |
Compact context variant (llms-ctx.txt) |
Mintlify recommendation: ≤200K tokens for full ingestion |
| JSON Schema for frontmatter | GHSA / OSV format approach |
| Versioned API endpoint | OSV.dev API pattern |
| Atom feed for change tracking | Simon Willison's blog, Socket blog feed |
Single scannable feed (ALERTS.md) |
HN front page, Socket Threat Feed |
| "Edit on GitHub" + "View raw markdown" | docs.github.com, supabase.com/docs |
.well-known/security.txt |
securitytxt.org standard |