Featured Posts

Package Override Kill Switches: npm, pnpm, Yarn, Maven, Gradle & NuGet

A copy-paste reference for emergency dependency control across every major package manager — plus what to do when the only safe version of a component is one upstream no longer ships.

Securing End-of-Life Software in Kubernetes: A Platform Team’s Playbook

A Platform Team's Playbook for When Upgrading Isn't an Immediate Option

Apache Tomcat May 2026 Security Release: 7 CVEs Affect Tomcat 8.5

How Apache's May 10 release impacts an EOL version the official security page no longer documents

Node.js Collaboration Summit London 2026: HeroDevs Trip Report

What Node.js’s new release strategy and rising AI vulnerability noise mean for security, sustainability, and long-term support.

What Is "AI Slop" in Security? A Plain-Language Guide to AI-Generated Vulnerability Reports

How AI-generated vulnerability noise is overwhelming maintainers—and reshaping the future of open source security.

CVE-2026-42945: NGINX Rift Heap Buffer Overflow Hits Ingress NGINX

How the “NGINX Rift” vulnerability creates an unauthenticated RCE risk for retired Ingress NGINX deployments.

Spring AI 2.0 Is Coming Soon. Your Boot 4.0 Migration Does Not Have to Start Tomorrow.

Spring AI 2.0 GA is scheduled for May 28. Here is what teams on Spring Boot 3.x need to know about the Boot 4.0 requirement, the real migration scope, and how to approach the upgrade without putting production at risk.

Spring Boot Managed Dependencies Still Get CVEs After EOL: May 2026 Patch Round-Up

24 upstream CVEs landed across Tomcat, Netty, Thymeleaf, Jetty, and pgjdbc in a single month — every one reachable through the Spring Boot managed-dependency BOM on at least one EOL line.

Angular v19 Goes EOL May 19. Angular 22 Is Coming the Same Month. Here Is How to Navigate Both.

Angular v19 reaches end of life on May 19, 2026. Angular 22 is expected to ship around the same time. For enterprise teams, the overlap of an EOL deadline and a new major release is real pressure — and it is manageable if you plan for it correctly.

Spring Framework April 2026: 3 Web Stack DoS and Cache Poisoning CVEs

How a single April 17 release addressed three independent denial-of-service vectors in the Spring 5.3, 6.1, 6.2, and 7.0 web stack, with two of those branches receiving fixes only on commercial subscriptions

Angular EOL Security in 2026: AI Tooling Is Widening the Gap

Why the gap between modern Angular AI tooling and EOL versions is becoming a critical security risk.

Mini Shai-Hulud: Another npm Supply Chain Worm, and Why "Just Update" Isn't the Answer

The TanStack compromise shipped 84 malicious package versions with valid SLSA Build Level 3 provenance attestations. Cryptographic signing worked exactly as designed, and that's the problem.

Your EOL Open Source Is an EU Cyber Resilience Act Problem. Here’s How to Fix It

What All Organizations shipping software into the EU need to know — and a practical path forward.

How a Group of Developers Took Back Control of Enterprise Java: The Spring Story, And Why It Still Matters

HeroDevs is proud to be the Platinum sponsor of "Spring: The Documentary," a new film from Tech Documentaries telling the story of how Spring transformed enterprise Java. Watch it on CultRepo's YouTube channel.

CVE-2026-22610: XSS Vulnerability in Angular Template Compiler via Unsanitized SVG Script Attributes

A cross-site scripting vulnerability in Angular's Template Compiler allows attackers to inject and execute malicious scripts through SVG elements. Applications running Angular 18.x and earlier have no upstream patch available. NES for Angular delivers a remediated package for all affected EOL versions.