Skip to main content

ci-cd

Browse all articles, tutorials, and guides about ci-cd

5posts

Posts

DevOps
|8 min read

Per-Branch AI Endpoints: Isolating Model Spend Across Prod, Preview, and CI

When previews, CI, and production all call models with the same key, you cannot tell what a preview cost or notice a runaway test until the invoice. Because a Neon branch is its own deployment with a usage ledger that lives in the branch's Postgres, model spend is attributed and isolated per environment. I proved it: a CI branch spent tokens while production stayed flat.

Security
|8 min read

When the SSH Server Attacks the Client: libssh2 CVE-2026-55200

You spent years hardening sshd. This bug does not care. CVE-2026-55200 is a pre-auth heap overflow in libssh2 where a malicious SSH server takes over the client that connects to it, no credentials needed. And libssh2 is a client library hiding in curl, git tooling, and backup jobs all over your pipeline. Here is the bug, who is actually exposed, and how to find it in your stack.

DevOps
|9 min read

Preview Environments That Include the Backend, Not Just the Frontend

Every PR gets a frontend preview URL. The backend is almost always one shared staging database, so previews quietly lie to you. On Neon a branch is the database, its data, and the functions together, so each PR can get a real isolated backend. Here is the workflow, tested end to end.

DevOps
|9 min read

npm v12 Will Stop Running Install Scripts. We Audited Our Repos to See What Actually Breaks

Starting with npm v12 (estimated July 2026), dependency install scripts will not run unless you allowlist them. We ran the new audit tooling on our own production repos: 65 packages flagged, 4 that matter, and a surprising amount of nothing breaking.

Security
|13 min read

CVE-2026-3854: A Single git push Owned GitHub

A semicolon in a git push option let any authenticated user run code on GitHub.com's backend and on 88% of self-hosted GitHub Enterprise installs. Here is how the bug worked and what to do.