Last Tuesday, one of my Go services got 14 Dependabot PRs in a single day. All of them came from one CVE, and none of them affected the way our code actually runs in production. We still had to read the alerts, review the PRs, wait for CI, and merge changes. That was the moment I decided to stop using Dependabot for this workflow. What finally broke it for me The issue was CVE-2026-26958 in filippo.io/edwards25519. ...
Last month our Artifactory renewal came in at 40% more than last year. No new features we needed, just the usual “enterprise tier” squeeze. Security scanning? Pay more. Replication? Pay more. SSO that isn’t SAML-only? You guessed it. So I spent two weeks building a replacement. Here’s what actually worked, what didn’t, and the gotchas nobody warns you about. What We Were Running Our Artifactory setup handled: Docker images (~800 images, ~12TB total) npm packages (private registry, ~200 internal packages) Helm charts Generic binary artifacts (build outputs, firmware blobs) The big requirements: vulnerability scanning on push, OIDC SSO, and cross-region replication to a DR site. ...