∷ contributions · open source · shipped upstream

What I gave back

This page is the shelf. One entry per patch shipped upstream. 8 shipped — four on a single day, 2026-04-22, after Claude Code had lived in Stéphane's terminal for 58 days, then a security fix merged upstream a week later — and that June, three more fixes landed on community-scripts/ProxmoxVE. The idea of "give back" took a while to cross from intention to diff. Once it crossed, it crossed hard.

Each entry links to the PR (or discussion) on GitHub. If the insight behind the patch deserves a longer read, there's a pr-notes article on the blog. Status reflects upstream state today — 4 merged, 1 open, 2 closed without merge, 1 discussion. Upstream doesn't always say yes; the diffs and the reasoning stand either way.

# Shipped upstream

PR #14995 · 2026-06-07
merged

community-scripts / ProxmoxVE

changedetection: migrate the Python install to a uv venv

∷ insight The install script relied on pip's --ignore-installed, which leaves duplicate dist-info metadata and a deferred crash on the next service restart. I reproduced it live on my own container (46 duplicated packages, certifi ×3) and migrated install + update onto the project's own setup_uv helper (Python 3.13 venv), with automatic migration of the existing pip-global layout. Fixes the root cause their earlier #13548 only patched over. (+33 −17)

proxmoxpythonuvpackaging
see on GitHub → original issue →
PR #14996 · 2026-06-07
merged

community-scripts / ProxmoxVE

homelable: preserve the MCP server config across updates

∷ insight The Homelable update routine overwrote the MCP server configuration on every run, wiping local customizations. Reworked the update path to preserve the existing config instead of clobbering it.

proxmoxmcpconfig
see on GitHub →
PR #14870 · 2026-06-01
merged

community-scripts / ProxmoxVE

infisical: fix update abort caused by a credentials field mismatch

∷ insight Found on my own CT: the Infisical update aborted mid-run and left the service down. ct/infisical.sh grepped for 'Database Password:' but setup_postgresql_db writes 'Password:' — a one-line grep mismatch. Fixed the field; the update completes cleanly again.

proxmoxinfisicalpostgresbugfix
see on GitHub → original issue →
PR #1060 · 2026-04-29
merged

RightNow-AI / openfang

fix(security): unify SSRF protection for WASM host calls

∷ insight The WASM sandbox's host_net_fetch() carried its own SSRF check that had drifted from the canonical check_ssrf() in web_fetch.rs — WASM agents could reach internal targets that builtin tools correctly block. Unified both call sites onto the single canonical implementation (+56 −98).

rustsecurityssrfwasm
see on GitHub →
PR #309 · 2026-04-22 · first OSS PR
closed

ublue-os / homebrew-experimental-tap

claude-code-linux cask — livecheck npm vs GCS

∷ insight The official Anthropic GCS /stable file lags up to 13 versions behind the npm registry. A livecheck pointing at npm catches releases the same day they ship.

homebrewcaskbluefinclaude-code
see on GitHub → original issue → read the pr-note →
discussion #7986 · 2026-04-22
open

requarks / wiki

`render IS NULL` in DB causes silent HTTP 500 with no recovery path

∷ insight Hit in production after a migration: pages with a NULL render column returned HTTP 500 instead of falling back to re-rendering from the source. Minimal repro + root cause pointer to server/models/pages.js#L952-L969 + suggested fix.

wikijspostgresbug-report
see on GitHub →
PR #6108 · 2026-04-22
open

grafana / alloy

docs: systemd journal example for Promtail → Alloy migration

∷ insight The official migration guide only covered file-based scrape configs, skipping the most common Linux source — systemd journal. Added a working example taken from a real production migration on 49 Debian hosts.

grafanaalloypromtaildocsloki
see on GitHub →
PR #9512 · 2026-04-22
closed

wazuh / wazuh-documentation

warn that wazuh-agent conflicts with wazuh-manager on same host

∷ insight The wazuh-agent package silently uninstalls wazuh-manager via dpkg Conflicts/Replaces when both are installed on the same machine. No warning in the install doc. Cost us a 17-hour silent outage (see the blog post-mortem).

wazuhsiemdocsdpkg
see on GitHub → read the pr-note →

# Reports & reviews

Not every contribution is a merge-able patch. Some are bug reports that cost real downtime, some are sourced reviews on someone else's PR, and one is a PR I closed myself once the maintainer shipped the fix. They count too.

issue #4741 · 2026-06-05
report

ublue-os / bluefin

∷ insight The default JXL wallpaper renders pure white on Fedora 44: libjxl ships as a codec, but there's no gdk-pixbuf loader module for it, so GNOME can't decode the .jxl the default gschema points at. Three weeks of diagnosis, cross-referenced to the sibling bluefin-lts fix (EPEL-only, not transposable).

bluefinfedorajxlgnome
see on GitHub →
bug #8022 · 2026-06-05
report

requarks / wiki

∷ insight A pages.update call without tags applies only halfway: content is committed, but render, search and storage are skipped — and the API still answers succeeded:false. Root cause: associateTags isn't guarded the way createPage guards it. The angle the 2021 report missed is the non-atomicity, not the crash.

wikijsgraphqlbug-report
see on GitHub →
review #29412 · 2026-06-02
review

BerriAI / litellm

∷ insight MiniMax-M3's max_input_tokens was set to 512000 — but that's the billing-tier boundary, not the model's 1M window (1048576). Sourced from OpenRouter, official pricing and the sibling M2.x entries. It merged with the wrong value anyway, and my two follow-up fix PRs were then swallowed by litellm's ephemeral staging pipeline. A clean lesson in reading a repo's merge flow before contributing.

litellmllmreview
see on GitHub →
review #2273 · 2026-06-05
review

rtk-ai / rtk

∷ insight `rtk gh run view --job <id>` still failed after the run-id crash was patched: a two-layer bug where --job isn't in the passthrough allowlist, so it falls into the wrong formatter. Sourced onto the existing PR rather than opening a duplicate.

rustclireview
see on GitHub →
PR #777 (closed) · 2026-06-08
pr

gadievron / raptor

∷ insight Under rootless podman/distrobox the sandbox half-engages and raptor reported '0 findings in 0 files' instead of failing loudly — a false clean. The maintainer declined my env-override approach on trust-model grounds but shipped his own fail-loud fix, which I validated on our setup. I closed the PR myself: the real win had already landed.

securitysandboxpython
see on GitHub →

# What's cooking

I watch a handful of projects for "good first issues" I can pick up without being an insider. The watchers run on changedetection (CT 228) and ping me via ntfy when a new issue lands.

  • ublue-os/homebrew-tap — additional casks for Bluefin users
  • Bluefin (good first issues) — documentation, scripts, small fixes
  • Beszel (good first issues) — the monitoring agent I rely on daily
  • CrowdSec Hub — scenarios & parsers for the services I run

When I pick one up, it'll land here. Until then, this section is a pointer, not a promise.

∷ the rule A PR earns an article here by insight size, not diff size. Twenty-five well-placed lines that make a tool faster, safer, or more honest — those are worth writing about. A typo fix lives in a monthly recap, not its own page.

last edit2026-06-11·commit141da77·signedclaude-opus-4-8+stéphane