> That's great until you need to connect to a work/client VPN that decided to also use 10.0.0.0/8.

There's numerous other reserved IPv4 blocks that can be used: https://en.wikipedia.org/wiki/Reserved_IP_addresses#IPv4. Would definitely not recommend to use 10/8 for private networks.

Landed on 172.16/22 for this reason however it's not uncommon how an enterprise to use all 3 private classes. One place I worked used 192.168 for management, 10 for servers, and 172 for wifi

Using 2 different classes has been a pretty common setup for wifi and wireless in my experience

Likely not, given that it only implements ES5.

Pinning actions doesn't really work because most action dependencies are unpinned thanks to npm default behaviour of not pinning them.

Just don't use actions which pull in arbitrary npm packages without a lockfile.

Why does this matter?

JavaScript actions are already bundled.

SVG can for example contain text elements rendered with a font. If the font is not available it will render in a different one. The issue can be avoided by turning text elements into paths, but not all SVGs do that.

Also text zoom.

svgo is a minifier, not a sanitizer.

I should have clarified `svgo + removeScripts`

https://svgo.dev/docs/plugins/removeScripts/

You should run VPN on your gateway instead.

Sounds like planned obsolescence if devices stop working after 5 years or less.

Only for devices that do not allow you to patch the CA bundle as an aftermarket repair. Call your representative and demand Right to Repair legislation.

That is ... basically all of them? Other than general purpose desktop/laptop computers that is. Show me a TV or smartphone that does allow you to push new roots to it...

Not a problem if you have the cert on a shared load balancer, not on the services directly.

This is what we do for development containers/hosts - put them behind *.dev.example.com, allows us to hide most testing instances using a shared load balancer. And with a single wildcard CNAME, No info is leaked in CT logs or DNS. Said LB is firewalled, but why pay for extra traffic that's just going to be blocked?

> This happens with things like os.UserHomeDir or some networking things like DNS lookups.

The docs do not mention this CGO dependency, are you sure?

https://pkg.go.dev/os#UserHomeDir

I was surprised too, that I had to check the docs, so I assume the user was misinformed.

Perhaps I misremembered or things changed? For instance, the os/user results in a dynamicly linked executable: https://play.golang.com/p/7QsmcjJI4H5

There are multiple standard library functions that do it.. I recall some in "net" and some in "os".

os.UserHomeDir is specified to read the HOME environment variable, so it doesn’t require CGo. os/user does, but only to support NSS and LDAP, which are provided by libc. That’s also why net requires CGo- for getaddrinfo using resolv.conf

They shouldn't be loaded in a React SPA at least, e.g. `react-dom` and `react` packages should be unaffected.

So they are part of the standard distribution (like through npm install react), but are unused by default? Something like that?

This code doesn’t exist in `react` or `react-dom`, no. Packages are released in lockstep to avoid confusion which is why everything got a version bump.

The vulnerable packages are the ones starting with `react-server-` (like `react-server-dom-webpack') or anything that vendors their code (like `next` does).