# Developer Tooling, Supply Chain Security, and Infrastructure Strategy

**Podcast:** The Changelog: Software Development, Open Source
**Published:** 2026-04-29

## Transcript

What's up, friends?
Adam here.
This is Change Talk News for the week of April 27th, 2026.
Fresh off the press, literally hours old at this point.
Warp is now open source.
Yes, your favorite terminal, and mine too, besides Ghosty, of course, is now open source.
Years ago, we had Zach on the pod and pressured him.
Highly suggested, I should say, that Warp be open source.
And the day is finally here.
They are now open source.
The primary reason is, quote, that we think we can ship a better warp more quickly if we open source and work with our community, end quote.
Big congrats, Zach.
I'm excited.
Are you excited?
Okay, let's get into the news.
Bitwarden CLI has been compromised.
Yes, Bitwarden's official command line tool got hit last Thursday.
Our friends at Socket are on the beat.
They flagged a malicious CLI published to NPM.
as part of the same checkmarks themed supply chain campaign that's been going through developer tooling this past few weeks.
Here's what matters.
The CLI is now the tool by definition that sits next to our secrets.
And the compromise build was scraping GitHub tokens, AWS, Azure and GCP credentials, NPM config, SSH keys, the good stuff, right?
Shell profiles and even your cloud and MCP config files out of these spoofed.
audit.checkmarks.cx endpoint.
So if you ran Bitwarden or BW the command on a dev machine or a CI runner in the past few weeks, this is an incident response.
This is not a patch cycle.
And our friends at Socket say, quote, the compromise follows the same GitHub action supply chain vector identified in the broader checkmarks campaign, end quote.
So this is a strategic attack.
And our dev tools are in the crosshairs.
TypeScript 7.0 Beta.
TypeScript 7.0 hit beta last Tuesday.
After more than a year of porting from a JavaScript-based bootstruck compiler to a Go rewrite, the team is shipping it with one headline number.
About 10x faster than 6.0.
The big picture, this is the most ambitious thing TypeScript has done since the language shipped.
Microsoft didn't add features.
rewrote the core in a different language to break a performance ceiling that JavaScript bootstrap TSC was never going to clear.
And they say stable is within the next two months.
Daniel Rosenwasser, TypeScript program manager for Microsoft says this, quote, it is highly stable, highly compatible and ready to put to the test in your daily workflows and CI pipelines today.
So you got your marching orders, use it in your workflows today, use it in your pipelines today and enjoy.
TypeScript 7.0.
Ubuntu 26.04 LTS is here.
Okay, so Resolute Raccoon shipped on Thursday.
Fantastic news for our home labbers out there who are on the edge of Ubuntu.
I know that's what I use in my VMs and containers, so I'm excited to finally get my templates updated to Ubuntu 26.04 up from 24.04.
This is the LTS release your service will run for the next five years.
On through April 2036.
So that's a long time.
The most interesting call to release isn't the kernel or the desktop.
It's canonical pumping the brakes on the Rust core utility swap.
It's kind of the judgment that makes the LTS worth trusting.
Plan your fleet upgrade window now.
I know I am.
If Rust everywhere lands by 26.10 as targeted, this LTS is the on-ramp.
And now time for some sponsored news.
Well, I'm here with Nikki Pike from Coder.com.
secure environments where devs and agents work in parallel.
Nicky, the thing on my mind this week is the laptop.
How secure, how at risk are we?
The laptop is the trap here.
And not only because the fact that it could be stolen, you could lose it, it breaks, and you're out of work while you're waiting for a new one.
But there's also just the consistency that you got there.
We all know developers.
Developers are going to be looking for some of the latest and greatest.
And if you're not really controlling how they get out there, that's where you get this.
It works on my machine.
It doesn't work in production.
It doesn't work anywhere else because you don't have that consistency.
You don't have that ability to really standardize what that environment looks like.
But there's also the security and the supply chain aspect of this.
When you have local machines out there.
Look at like the Shai Halud, you know, that virus that went out not long ago.
This was a compromise of the NPM public repositories.
They went and downloaded things.
NPM did what it did.
Next thing you know, you're compromised.
But when you use something like what we're doing with cloud development environments, then you can mandate and you can put restrictions on there to say, hey, you can only go get your packages from our private repo.
Those packages are expected to have been thoroughly vetted.
We know that they're clean.
Now, does this stop everything like Shai Halud?
No.
If that compromised package gets into your private repo, you can still have that.
But it really reduces the surface area of the attack.
And it also reduces the blast area of the compromise should it happen.
Because if your laptop gets compromised and you have to kill the laptop for whatever reason, that's weeks out of work while you're either fixing that or you're getting a new laptop in.
The cloud development environments allows you to kill that, start back up fresh, and you're back and running in five minutes.
You don't have to wait all that time.
All right, friends, go to coder.com.
Give your developers room to build and run parallel agents inside secure self-hosted environments.
Again, coder.com.
Spinal compiles Ruby to native binaries.
Our favorite programmer, Mats, drops Spinal on Friday.
Thank you, Mats, of course, for Ruby.
It is an ahead-of-time compiler that takes Ruby's source.
emits standalone C and runs it through DCC or CLine to produce a native binary.
And the benchmarks say it's about 11.6x faster.
And on compute heavy workloads, Conway's Game of Life is the canonical example.
And it tops 86x.
And if you ask me, this changes the framing for what Ruby can be used for.
The immediate obvious win is small CLIs, lambda functions, and short-lived processes.
Basically, anywhere CRuby startup costs was a tax to you and push you to go or rust, Now Ruby is an option.
And here's the cool thing.
Ruby on more serious infrastructure.
The cleanest read of this is that Matt's is signaling Ruby's future has a typed precompiled lane next to his dynamic one.
The crystal community has been making this case for years.
But the difference is this one's coming from Matt's himself.
It's not a fork.
It's a direction.
PG backrest is no longer being maintained.
After 13 years, David Steele has stepped away from PG backrest.
The repository is archived.
The REB leads with, quote, notice of obsolescence, end quote.
The standard backup tool for production Postgres deployments has lost its maintainer and won't be patched going forward.
This is not a hobby crate gone dormant.
PG backrest is a tool a lot of operations teams have woven into the fabric of what they do, their run books, their backup automation, their disaster recovery plans.
And when the next CVE hits and this maintainer's gone, it's not getting patched, not eventually, just not at all.
The sentiment can be read directly from David Steele, quote, rather than do the work poorly and or sporadically, I think it makes sense to have a hard stop, end quote.
David, good for you to call the ball, draw the line, and step away as you need to.
So if you run PG Backrest in production, this is a this week task.
Don't delay it.
And who knows what's to come for PG Backrest.
Next week, we may have a new headline about it.
We shall see.
All right, friends, this show's done.
Tons of links in the newsletter.
Check that out as well.
Also tune in to ChangeLog680.
Talking to Amelia Wattenberger.
Explore with agents.
designer, data viz veteran, ex-githubnext, and now designing intent at AugmentCode.
Once again, changelog680.
And again, thank you to Coder for sponsoring this episode.
That's it.
We're done.
We'll see you soon.