Editor's Pick
Anyone can Access Deleted and Private Repository Data on GitHub
You can access data from deleted forks, deleted repositories and even private repositories on GitHub. And it is available forever. This is known by GitHub, and intentionally designed that way.
This is such an enormous attack vector for all organizations that use GitHub that we’re introducing a new term: Cross Fork Object Reference (CFOR). A CFOR vulnerability occurs when one repository fork can access sensitive data from another fork (including data from private and deleted forks). Similar to an Insecure Direct Object Reference, in CFOR users supply commit hashes to directly access commit data that otherwise would not be visible to them.
CSS
New in CSS: relative colors
Do you remember the good old Sass days? Using Sass, you could manipulate colors with helper functions such as darken or lighten. This wasn't possible in pure CSS, but now it's on its way.
CSS Stuff I'm Excited After The Last CSSWG Meeting
From June 11–13, the CSS Working Group (CSSWG) held its second face-to-face meeting of the year in Coruña, Spain, with a long agenda of new features and improvements coming to language. If 2023 brought us incredible advances like out-of-the-box nesting, container and style queries, or the has: selector, then 2024 is going to be even more packed with even more ground-breaking additions.
How not to use box shadows
So you think you know box shadows huh? I bet you didn't know they could do this.
Styling Tables the Modern CSS Way
Creating good-looking tables on the web can be fiddly at times. We’re going to run through some tips and gotchas for building simple and complex tables in HTML and CSS, and where modern CSS can help us.
CSS Grid Areas
A fresh look at the CSS grid template areas and how to take advantage of its full potential today.
JavaScript
JSTinker - open source JSFiddle clone
An open source clone of JSFiddle, this project was made to provide insight into how something like this is created. My goal was to mimic as many of JSFiddle's features as possible in an offline environment. No accounts or internet connection totally necessary (besides online resources).
Learn to Build Components That Work Anywhere - a free roadmap for learning web components
Learn all about web components with this free roadmap. You'll learn all about things like Custom Elements, HTML Templates, Shadow DOM, and more.
TinyBase - the reactive data store for local‑first apps.
TinyBase lets you listen to changes made to any part of your data. This means your app will be fast, since you only spend rendering cycles on things that change. The optional bindings to React and pre-built components let you easily build fully reactive UIs on top of TinyBase. You even get a built-in undo stack, and developer tools.
UX
Dark Patterns Hall of Shame
Protect your online privacy and rights by learning about dark patterns and unethical designs. Stay informed and avoid manipulation in the digital world.
Miscellaneous
Animata - Hand-crafted interaction animations and effects from around the internet to copy and paste into your project
Animata is a free and open-source collection of hand-crafted animations, effects, and interactions that you can seamlessly integrate into your project with a simple copy and paste. The animations are built using TailwindCSS and ReactJS, and can be easily customized to fit your project's design.
Animata is not a full-fledged UI library like Material-UI or Chakra-UI. It is a collection of animations and effects that you can use to enhance your project's design. You can use Animata alongside other UI libraries or design systems as well (you will need setup TailwindCSS for this).
Anyone can Access Deleted and Private Repository Data on GitHub
You can access data from deleted forks, deleted repositories and even private repositories on GitHub. And it is available forever. This is known by GitHub, and intentionally designed that way.
This is such an enormous attack vector for all organizations that use GitHub that we’re introducing a new term: Cross Fork Object Reference (CFOR). A CFOR vulnerability occurs when one repository fork can access sensitive data from another fork (including data from private and deleted forks). Similar to an Insecure Direct Object Reference, in CFOR users supply commit hashes to directly access commit data that otherwise would not be visible to them.