<p>This week on <strong>Ship It Weekly,</strong> Brian looks at four “glue failures” that can turn into real outages and real security risk.</p><p>We start with CodeBreach: AWS disclosed a CodeBuild webhook filter misconfig in a small set of AWS-managed repos. The takeaway is simple: CI trigger logic is part of your security boundary now.</p><p>Next is the Bazel TLS cert expiry incident. Cert failures are a binary cliff, and “auto renew” is only one link in the chain.</p><p>Third is Helm chart reliability. Prequel reviewed 105 charts and found a lot of demo-friendly defaults that don’t hold up under real load, rollouts, or node drains.</p><p>Fourth is n8n. Two new high-severity flaws disclosed by JFrog. “Authenticated” still matters because workflow authoring is basically code execution, and these tools sit next to your secrets.</p><p>Lightning round: Fence, HashiCorp agent-skills, marimo, and a cautionary agent-loop story.</p><p><strong>Links</strong></p><p>AWS CodeBreach bulletin <a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/security/security-bulletins/2026-002-AWS/">https://aws.amazon.com/security/security-bulletins/2026-002-AWS/</a> </p><p>Wiz research <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.wiz.io/blog/wiz-research-codebreach-vulnerability-aws-codebuild">https://www.wiz.io/blog/wiz-research-codebreach-vulnerability-aws-codebuild</a> </p><p>Bazel postmortem <a target="_blank" rel="noopener noreferrer nofollow" href="https://blog.bazel.build/2026/01/16/ssl-cert-expiry.html">https://blog.bazel.build/2026/01/16/ssl-cert-expiry.html</a> </p><p>Helm report <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.prequel.dev/blog-post/the-real-state-of-helm-chart-reliability-2025-hidden-risks-in-100-open-source-charts">https://www.prequel.dev/blog-post/the-real-state-of-helm-chart-reliability-2025-hidden-risks-in-100-open-source-charts</a> </p><p>n8n coverage <a target="_blank" rel="noopener noreferrer nofollow" href="https://thehackernews.com/2026/01/two-high-severity-n8n-flaws-allow.html">https://thehackernews.com/2026/01/two-high-severity-n8n-flaws-allow.html</a> </p><p>Fence <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.com/Use-Tusk/fence">https://github.com/Use-Tusk/fence</a> </p><p>agent-skills <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.com/hashicorp/agent-skills">https://github.com/hashicorp/agent-skills</a> </p><p>marimo <a target="_blank" rel="noopener noreferrer nofollow" href="https://marimo.io/">https://marimo.io/</a> </p><p>Agent loop story <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.theregister.com/2026/01/27/ralph_wiggum_claude_loops/">https://www.theregister.com/2026/01/27/ralph_wiggum_claude_loops/</a> </p><p>Related n8n episodes: </p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://www.tellerstech.com/ship-it-weekly/n8n-critical-cve-cve-2026-21858-aws-gpu-capacity-blocks-price-hike-netflix-temporal/">https://www.tellerstech.com/ship-it-weekly/n8n-critical-cve-cve-2026-21858-aws-gpu-capacity-blocks-price-hike-netflix-temporal/</a> </p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://www.tellerstech.com/ship-it-weekly/n8n-auth-rce-cve-2026-21877-github-artifact-permissions-and-aws-devops-agent-lessons/">https://www.tellerstech.com/ship-it-weekly/n8n-auth-rce-cve-2026-21877-github-artifact-permissions-and-aws-devops-agent-lessons/</a></p><p></p><p>More episodes + details: <a target="_blank" rel="noopener noreferrer nofollow" href="https://shipitweekly.fm">https://shipitweekly.fm</a></p>