https://jonathanbucaro.com/tags/cli/Recent content in Cli on Jonathan BúcaroHugoen-USWed, 27 May 2026 19:53:56 +0000https://jonathanbucaro.com/blog/bumblebee/Wed, 27 May 2026 19:53:56 +0000https://jonathanbucaro.com/blog/bumblebee/<h2 id="-tldr">🎯 TL;DR</h2> <p>Bumblebee is a single Go binary that walks on-disk package metadata and emits a structured NDJSON stream of what it finds. No package managers are invoked, no network calls are made during scans, and no credentials appear in the output. It answers one specific question: which packages and versions are installed on this developer machine right now?</p> <p><strong>Choose your path:</strong></p> <ul> <li>🚀 <a href="https://jonathanbucaro.com/blog/bumblebee/#quick-start">Quick Start</a></li> <li>🏗️ <a href="https://jonathanbucaro.com/blog/bumblebee/#how-it-works">How It Works Inside</a></li> <li>📦 <a href="https://jonathanbucaro.com/blog/bumblebee/#scan-multiple-projects">Scan Multiple Projects</a></li> <li>⚖️ <a href="https://jonathanbucaro.com/blog/bumblebee/#honest-trade-offs">Honest Trade-offs</a></li> </ul> <hr> <h2 id="-why-i-looked-at-this">🤔 Why I Looked at This</h2> <p>Supply-chain incidents have been a recurring pattern in 2026. Two of them landed close together and kept surfacing the same question for me. In March 2026, <code>axios@1.14.1</code> and <code>axios@0.30.4</code> were published with an injected dependency that ran a platform-specific remote access trojan during installation. In May 2026, 84 malicious artifacts across 42 <code>@tanstack/*</code> packages reached npm through a GitHub Actions compromise.</p>