Tempered Works Ltd.

How to get pwned with --extra-index-url

brabster — Sat, 06 Dec 2025 00:00:00 +0000

Python's built-in pip package manager is unsafe when used with the --extra-index-url flag (there are other dangerous variants too). An attacker can publish a malicious package with the same name and a higher version to PyPI, and their package will be installed.

This post confirms that the vulnerability (CVE-2018-20225) is still a problem today. Despite the CVSS 7.8 (High) CVSS score, the maintainers have refused to change the behaviour.

I also introduce a test suite and publicly-available test packages that you can use to more easily confirm the safety - or not - of your own setup.

UDAFs, stored procedures and more in dbt

brabster — Mon, 04 Aug 2025 00:00:00 +0000

It's been over a year since I first wrote about managing UDFs using custom dbt materializations. The approach has held up well, but a recent project required me to go further and bring UDAFs (user-defined aggregate functions) and stored procedures into the fold. The same approach worked well, and dbt Labs are considering adding formal support for UDFs!

BigQuery, safer by default from September 2025

brabster — Thu, 17 Jul 2025 00:00:00 +0000

On September 1st 2025, Google will make BigQuery a lot safer by default, changing the default quotas for projects under the default on-demand pricing model. Instead of unlimited financial damage, the default for new projects will be around $1000 per day. Existing projects will be updated to a custom limit based on prior 30-day usage. No changes to existing limits.

Thanks to for supporting this content.

GitHub Codespaces, one year later

brabster — Sat, 07 Jun 2025 00:00:00 +0000

Back in early 2024 I tried GitHub Codespaces, and quickly ditched my local dev setup entirely. This post shares my experience going cloud-native for development: benefits for onboarding, agility, and security, alongside the real-world snags like network dependency and unexpected billing quirks.

GROUP BY ALL solves a really annoying SQL problem

brabster — Thu, 29 May 2025 00:00:00 +0000

Does your SQL still copy most of your columns from SELECT after GROUP BY?

Behold: GROUP BY ALL.

Thanks to for supporting this content.

My path to consultancy

brabster — Sun, 11 May 2025 00:00:00 +0000

I had big doubts about becoming a consultant or contractor. Could I do it? Would I find work? Could I run my own business? Would I need to change who I am, wear a suit, or buy a briefcase? Seven years have flown by since I took the plunge, so I'm going to share my story in case it's helpful for you!

Rethinking the guest network to improve my home network security

brabster — Sun, 23 Mar 2025 00:00:00 +0000

I believe that making my guest network my default network reduces the potential harm a compromised app or device can cause. What was my "trusted" network is now my "untrusted" network, with only a few low-risk devices that really need local network connectivity connected to it, isolated from other devices that matter like my phone and work laptop.

It's a simple change in how I use my home network, and does not require in-depth knowledge and experience. Having operated this way at home for a few months now, I've found little impact on day-to-day usability, but it's really helped me sleep better at night. I'll explain what I changed, why, and how I've adjusted my wider thinking on my home network security to take better advantage of this approach.

Thanks to for supporting this content.

Generating portable and user-friendly identifiers

brabster — Sat, 08 Mar 2025 00:00:00 +0000

I'll share how I generate unique identifiers from data in 2025, avoiding the pitfalls I've seen along the way. TL;DR: I'm using MD5 to produce a digest from a string or bytes value, then I'm using plain old hexadecimal encoding of that digest, specifying upper or lowercase for the alpha characters. This solution meets the needs I describe next.

Thanks to for supporting this content.

Using AWS billing to track down lost resources

brabster — Sun, 09 Feb 2025 00:00:00 +0000

My AWS bill was higher than I expected, and it wasn't immediately clear what was driving the cost. Here's how I tracked down the culprits.

Testing stored procedures

brabster — Sat, 18 Jan 2025 00:00:00 +0000

Update August 2025¶

Since writing this post, I've found a clean way to handle stored procedures and their outputs for dbt users by treating them as materializations. This makes testing them as straightforward as testing any other dbt model. Read more in UDAFs, stored procedures and more in dbt.

Whilst I've used and written about UDFs a lot, I can't recall ever having a reason to work with stored procedures. When I was asked how I'd go about wrapping them in automation and testing, I thought it'd be a good excuse to take a look and see how I might go about testing them!

Avoiding CAST ROW in AWS Athena SQL

brabster — Mon, 18 Nov 2024 00:00:00 +0000

There is more than one way to build a ROW in AWS Athena and the underlying Trino engine. It turns out I was doing it the verbose, brittle and really annoying way. Row subqueries are so much better!

Thanks to for supporting this content.

dbt-core vulnerability PVE-2024-73530

brabster — Wed, 06 Nov 2024 00:00:00 +0000

I noticed failing builds this week, with a dbt-core vulnerability flagged by SafetyCLI as the culprit. There was no actionable information in the command line output, so here's what I found and my action.

Thanks to for supporting this content.

Google Chrome Oct 15 update broke GitHub Codespaces

brabster — Sun, 27 Oct 2024 00:00:00 +0000

The Oct 15, 2024 update of Google Chrome stable (130.0.6723.58) suddenly broke some sites, such as GitHub Codespaces and 1Password, due to a JavaScript-related setting.

Time travelling with change data capture

brabster — Sun, 18 Aug 2024 00:00:00 +0000

In the last article of the series, I ran into difficulties as I tried to "time-travel" back to earlier points in time. That's an important capability for correct functioning and reproducing results. This article shows how to use window functions (also known as analytic functions) to simplify handling of processing time and avoid the previous problems.

Thanks to for supporting this content.

Map over an array in BigQuery

brabster — Wed, 31 Jul 2024 00:00:00 +0000

This walkthrough shows how I can use the functional programming techniques map and filter that I already know and love in SQL engines like BigQuery. These techniques give me a lot of processing power whilst keeping my SQL simple and relatively easy to understand. Unlike custom code, I can use the same SQL and infratructure I'd use to process ten rows to process ten billion rows in seconds.

Preventing data theft with GCP service controls

brabster — Sat, 06 Jul 2024 00:00:00 +0000

I recently discovered and responsibly disclosed a vulnerability in the dbt analytics engineering solution. Google Cloud services are my default choice to process data, so I looked into how I could protect myself from data theft when I'm using BigQuery.

Thanks to for supporting this content.

Latest and historical state from change data capture

brabster — Fri, 28 Jun 2024 00:00:00 +0000

In previous posts, I disambiguated transactions by filtering out any transient statements and noted that changes in primary key values cause big problems. Now I can start to answer useful questions about the current and historical changes in a source table, learning something important about window functions along the way.

Thanks to for supporting this content.

Breaking change data capture with primary keys

brabster — Wed, 12 Jun 2024 00:00:00 +0000

My work on dealing with multiple tables was interrupted when I discovered a subtle scenario that leads to DMS CDC output that cannot be correctly interpreted. I was unable to find a solution, but I will update this post if new information emerges.

Thanks to for supporting this content.

Disambiguating transactions in change data capture

brabster — Tue, 04 Jun 2024 00:00:00 +0000

In the CDC output, I get a row for each statement executing in the transaction. Each row reflects the state of the database when that statement is executed. How do I filter out all the transient statements to get the final state of the row when a transaction has finished?

Thanks to for supporting this content.

Handling CVE-2019-8341 for dbt and mkdocs

brabster — Sun, 02 Jun 2024 00:00:00 +0000

Yesterday, Safety told me about CVE-2019-8341, a security issue affecting Jinja2. I'll walk through how I investigated and assessed the risk to my website and a dbt pipeline I operate in the public domain. I finish up with a commentary on why I think this vulnerability is real and should be fixed, and why I think we need to risk breaking potentially insecure usage to make vulnerability management manageable in the real world.

Thanks to for supporting this content.