zhandos mukatayev

Fork your dependencies, trim them to only your use case, never update unless it breaks for your users. I’ve been vocal about this for 10+ years. I’ve always said that updating is way riskier than latent bugs (which can be tracked and CVEs monitored). If you are updating a dependency, it’s on you to analyze every single commit in the full transitive set of dependencies. If you dont see anything compelling, dont update! I remember at HashiCorp once in awhile an engineer would try to update a dep or replace a DIY lib with an external one and id always ask “show me the commit we need.” Dont update for the sake of it. Feeling pretty swell about this mentality with all the supply chain attacks happening.

- Your device has a backdoor. Don't leave secrets in text files - Your app will get hacked one day. NEVER leave secrets in the source code hard coding NOR baking during build time Env variables are slept on. Pulling them from a running process is way harder than people think. - Cloud creds will leak. Forget these: long-lived tokens, permanent admin, or delete permissions. - API keys are basically public: hard spending caps + instant alerts. Treat every key like it’s half-leaked already.

These simple rules will save a lot of headache 1. Catch crap before it ships: scan your apps for vulnerabilities with Trivy or similar tools 2. NEVER update to the latest version Day 1: (unless it's a security patch): let enthusiasts beta test for you. Wait 2-4 weeks. The real bugs always surface early 3. Golden Rule: Assume everything is already compromised you just don't know it yet

overcooking you've seen this: someone ships a dashboard that shows every number with a sparkline, every action has a confirmation modal, every empty state has an animated illustration and a tagline. individually each decision made sense to someone. together it feels like chaos. nothing is in focus. that's overcooking. not one bad decision in isolation, but the accumulation of reasonable ones that no one said no to. AI makes this worse as the cost of adding dropped to near zero. it can build a feature, even a whole new concept in minutes. so people do. and then they do it again. the thing that started with a clear purpose slowly becomes a collection of additions that are each justifiable but collectively incoherent. the root problem is that most "new ideas" aren't new. they're repackaging of something that already exists at a more fundamental level. a new sticker on an old concept. it feels like progress because something changed, with a new word and skin – but the thinking didn't go deeper, it just duplicated itself into confusion. the whole has a core. you feel it once you understand the whole system. everything in it are related and balanced. when you overload it, that gravity weakens. not because any one thing is wrong – but because attention is finite and you force it everywhere. what we need aren't more tools that make more slop. it's seeing through the chaos, and returning to what the thing actually is, and cutting everything that doesn't serve that. that's harder now, not easier. because there's always something else you could add with one more prompt.