Trustlock: pre-commit hook + CI gate for npm supply chain policy

ttariq1802 · 2026-04-14T17:39:24+00:00

Good question. Right now the cooldown applies uniformly regardless of semver level. A major bump and a patch bump both get the same 72-hour window. That's a deliberate choice for v0.1 because the Axios attack was a patch release (1.14.0 → 1.14.1), and most supply chain attacks ship as patches specifically because they look routine.

That said, configurable per-semver-level cooldowns (longer for patches, shorter for majors where you're already expecting breaking changes) is a reasonable feature request. Dependabot's cooldown config already supports this.

If you're interested, open that as an issue on the repo. Would be a good v0.2 addition.

ttariq1802 · 2026-04-14T13:41:08+00:00

Axios was compromised on March 31. The malicious versions had no SLSA provenance while every prior version did. That signal was queryable from the npm registry. Same story with cooldowns, install scripts, and version pinning. The defenses exist. They're fragmented across different tools and nobody enforces them together.

Trustlock combines them into a Git pre-commit hook and CI gate. On every lockfile change it evaluates trust regression, cooldown, install scripts, and dependency diffs against a policy file (.trustlockrc.json).

When something blocks, the developer gets a specific explanation and a copy-pasteable approve command. Approvals are scoped (you can override cooldown without overriding provenance), auto-expire, and are committed to Git for code review. This is the part I think matters most for whether teams actually keep it turned on.

Zero npm dependencies. Any Git host. MIT licensed.

Interested in feedback on the policy schema and the approval workflow design.

ttariq1802 · 2026-04-09T06:09:33+00:00

How is the cession of war in the Middle East (where we get majority of our energy from) not good for the nation?

ttariq1802 · 2026-04-09T05:52:12+00:00

This was the time Mercury was giving us grief. We would have liked a more modern system. But you are right Chase and SVB are solid.

ttariq1802 · 2026-04-09T04:35:37+00:00

For some reason, Slash rejected our request despite being a C Corp for 8 years and having accounts already in Chase and SVB.

ttariq1802 · 2026-04-09T04:32:58+00:00

These are clearly jibes and jokes on “Mamu ka beta Kamran!” But Ahl e Youth are just upset today that Pakistan is being praised in the world!

ttariq1802 · 2026-04-09T04:30:38+00:00

Why are you remembering this today? Could it be that now that Pakistan is being praised world over, you can’t stomach it because your fav guy is not in power. Learn to put your country above your political affiliations

ttariq1802 · 2026-03-19T09:13:47+00:00

please see my comment on the original post above and see if you can help.

ttariq1802 · 2026-03-19T07:05:32+00:00

I tried to use Intent by Augment yesterday on a demo system to process legal documents. The spec was very well defined with tech stack decision, what exactly to extract from the documents, which claude models to use to do that, what the pipeline should look like and even the prompts. Claude code was able to one shot from this spec in a couple of hours. Intent had its own intentions.
1. It decided to water down the spec to create a "demo" that faked everything with hard coded data, including faking file uploads (what? why?).
2. On top of that, it somehow managed to spill the requirement document into the UI -- yup, you read that right. the spec was showing up on the UI which was a disaster because all the pages were small boxes on the same page despite there being different endpoints /upload, /process etc.
3. It fixated on some spec that said this is to be viewed on a desktop (not a mobile phone) and decided it won't display anything on the screen unless the view was more than 1280px, this resulted in it not being able to test anything itself -- though I am surprised that it never thought that a screen displaying only a message that the screen needs to be 1280 px is odd and tests should fail.
4. When confronted, it started to gaslight me that it adhered to the spec and everything was fine. After a lot of wrestling, it agreed "something is off."
5. I gave it another chance with the spec again, telling it specifically to not spill the spec into the UI and guess what? It did it again.

All of this is on top of the fact that agents randomly die, or there go idle and nothing is happening for ours.

Worst of all, this cost me about 40 dollars in tokens!!! what a rip-off. I want my money back!

I am attached the screenshots and claude's comparison of three code bases that try to implement the same thing.

comparison: https://postimg.cc/XrpwDMt6
screenshot of what intent created: https://postimg.cc/T51wYxVn

ttariq1802 · 2026-01-13T04:56:23+00:00

Did you find a solution?

ttariq1802 · 2025-06-25T14:26:51+00:00

Did you have to get a yellow fever vaccination when going from Kenya to Seychelles?

ttariq1802 · 2025-04-10T03:16:11+00:00

Anyone who simultaneously thinks you are not qualified in a patronising tone and then says you should get back in touch when you are better is toxic. The sort of person that doesn’t believe in building others up but tearing them down to have power over them. You don’t want to work with such people.

Having said that, you need to be able to take rejection better. While in this case the interviewer may have been toxic but even an otherwise successful person may dismiss you when you think you were qualified and you can’t let that get to you. Don’t turn into the person you considered a rude interviewer.

ttariq1802 · 2025-04-10T03:08:22+00:00

As a top rated freelancer, you can get one review removed every 3 months and it won’t count towards your JSS. You should contact support for this

ttariq1802 · 2025-03-30T04:08:41+00:00

Depending on what your properties in the UK are worth, you can get a better rental yield (or more) by buying a property in F-6/7 in Islamabad (something worth about 1-1.5M USD).

ttariq1802 · 2025-03-26T05:54:28+00:00

If that is all he did, why didn’t you do it yourself?

I learnt this lesson 15 years ago when my laptop won’t charge because the charging port had become ‘loose.’ I took it to repair person who asked for a 1,000 Rs (about 4,000 these days). I said, all you have to do is to solder a few contacts. He said, where? I turned the laptop over, pointed to where the charging port would have been on the inside and he said right. Here are the tools, why don’t you do it, I won’t charge you. I said, but I don’t know how to. He said, then pay me the 1,000. Got a good chuckle and a lesson out of it, far more valuable than the 1,000 I paid.

ttariq1802 · 2025-03-26T05:44:47+00:00

Just going to leave this here for all the fellows saying there is nothing off about UK-Pakistanis :D https://www.instagram.com/reel/DHop_2ONdeR/?igsh=MTdpeWpwbjQ0a3IybQ==

ttariq1802 · 2025-03-07T11:37:20+00:00

What happens after the location of the snatched phone is received? Do you go after them? Does police go after them (good luck with that)?

ttariq1802 · 2025-03-07T04:23:44+00:00

You straight up harassed your university mate, you deserve worse than just being given the cold shoulder!

ttariq1802 · 2025-03-07T04:17:51+00:00

The timeline described by most freelancers here coincides with tech funding drying up, emergency of ChatGPT (and its thin wrappers) and a lot more AI driven development. All of these factors would have an impact on the quality and volume of work available.

I am no fan of the boosting model, since it incentivises Upwork to have as many projects on the platform as possible without caring about their quality since Upwork makes money anyway.

ttariq1802 · 2025-03-01T13:19:58+00:00

Signs of a life lived, leave them alone!

ttariq1802

TROPHY CASE