Every developer has tools they rely on daily. The workflows they’ve built around them, the ways they’ve learned to move faster, debug smarter, and write better code – that kind of hands-on experience can be hard to put into words. We’re collaborating with LinkedIn to make it easier for you to showcase your expertise with […]

141 Mastra npm packages were compromised in a supply chain attack that injected a malicious dependency to silently download and execute a payload at install time.Category: Vulnerabilities & Threats

On June 17, 2026, an attacker compromised the @mastra npm organization and quietly added easy-day-js as a dependency across 140+ packages in the Mastra AI framework ecosystem. easy-day-js is a typosquat of the popular dayjs date library, and its latest version contained an obfuscated postinstall dropper that downloaded and ran a second-stage payload from attacker-controlled servers, then deleted itself to remove any trace. Packages with a combined weekly download count exceeding 1.1 million were

More than 140 Mastra npm packages were compromised in a supply chain attack that used a typosquatted dependency to deliver a cross-platform infostealer during installation.

Giving your agents access to your tools, data, and services is what makes them useful. As agents perform deeper work across systems, authenticating and authorizing that access becomes central to your application architecture.Today, agent access is usually granted through long-lived provider tokens stored in your environment variables, provisioned for everything your agent might need. These tokens are shared across every user, never expire, and give your agent full reach across every task, no mat

Today, we are proud to introduce , an open-source agent framework for building, running, and scaling agents. eve is designed around the idea that building an agent should mean defining what it does without assembling all of the pieces that it needs to run in production. Instead, eve comes with production already built in:eveeve is the framework that we build and run our own agents on.Agents today are where the web was before frameworks, with everyone hand-rolling the same plumbing and nothing ca

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/click-to-play-component"><click-to-play> — a still that plays</a></p> <p>A progressive enchantment Web Component that turns this markup:</p><pre><code><click-to-play> <a href="URL to GIF"> <img src="URL to first frame" alt="..."> </a></click-to-play></code></pre><p>Into...

<p><strong><a href="https://inessential.com/2026/06/15/netnewswire-status.html">NetNewsWire Status</a></strong></p>I find this inspiring. Brent Simmons retired a year ago, and his retirement project is making one piece of software really, <em>really</em> good - free from any commercial pressure.</p><p>The software is <a href="https://netnewswire.com/">NetNewsWire</a> - "it's like podcasts, but for <em>reading</em&g...

こんにちは。フロントエンドエンジニアの小張（@kobari41257）です。 2026年5月9日に開催されたフロントエンドカンファレンス名古屋2026に、PR TIMESはスポンサーとして協賛し、ブースの出展およびLT登 […]

Nx 23 brings a smarter multi-major nx migrate, performance wins across the local engine and Nx Cloud agents, native Node.js TypeScript stripping and V8 compile cache on by default, more precise target configuration, and a big cleanup of deprecated generators, executors, and APIs.

JTL responded fast and has released fixes for every supported branch: versions 5.5.4, 5.6.2 and 5.7.2, plus a back-patch covering 5.0.0 through 5.7.0. Every store owner running JTL Shop 5.2.0 or la...

Enterprise teams can now control access to their Vercel deployments with . Vercel PassportPassport centralizes access using the identity providers your team already uses, like Okta, Auth0, or any compatible OIDC provider, so visitors must authenticate before they can view a protected deployment.Use Passport to:After Passport authenticates a visitor, use getIdentity() from @vercel/passport to read their identity server-side:Passport is $100 per project per month with no limit on external users th

is now available in public preview.eveeve is an open-source framework for building, running, and scaling agents. An agent is just a directory of files, and production comes built in:The smallest agent that runs is just two files, a model and a set of instructions.Add a tool, skill, channel, or schedule by adding a file. eve picks them up at build time and wires them in for you, so there's no boilerplate to register them.You can scaffold and start a new agent with a single command. It installs th

A new npm package tests AI malware scanners with prompt injection, safety-triggering comments, context flooding, and obfuscated JavaScript.

Today we are introducing , a platform that gives your entire company the ability to ship with AI safely, behind your access and security boundaries.Vercel for Enterprise Apps and AgentsOver the past year, employees across Vercel shipped hundreds of agents and internal apps. Getting to production was the easy part, because we built them with on top of the and deployed them on Vercel.eveAgent StackThe difficult questions came after those agents were being used by our employees across the company:W

<p><strong>Release:</strong> <a href="https://github.com/simonw/datasette/releases/tag/1.0a34">datasette 1.0a34</a></p> <p>Quoting the release notes:</p><blockquote><p>The big feature in this alpha is tools to insert, edit and delete rows within the Datasette interface. These features are available on table pages, and edit and delete are also available as action items on the row page.</p></blockquote><p><click-to-p...

npm and Python supply chain attacks run on developer machines and steal secrets. See how Package Configs audits registry, cooldown, and auth across your fleet

Git worktrees have been around since 2015, but it wasn't until recently they became popular. Learn what they are, how to use them, and why you might.The post What are git worktrees, and why should I use them? appeared first on The GitHub Blog.

A coordinated campaign of at least 15 JetBrains IDE plugins, published under seven vendor accounts, exfiltrates the AI provider API key you paste into their settings.Category: Vulnerabilities & Threats

Props for That creates live props based things CSS can't normally see in the browser. Things like cursor position, progress values, certain form states, current time, scroll velocity.Prop For That originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

There are some real advantages to variable scope and evaluation scope that you get with @function in CSS.

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-tailscale/releases/tag/0.1a0">datasette-tailscale 0.1a0</a></p> <p>A very experimental alpha plugin which lets you do this:</p><pre><code>datasette tailscale mydata.db \ --ts-authkey tskey-auth-xxxx --ts-hostname datasette-preview</code></pre><p>This starts a localhost Datasette server with a <a href="https://tailscale.com/">Tailscale&l...

<blockquote cite="https://news.ycombinator.com/item?id=48555993#48557304"><p>I can 100% attest to the fact that Qwen3.6-27B is a very capable local model for coding tasks. Over the last month and a half I've been using it almost daily, either on my M2 Ultra or on my RTX 5090 box. I use it for small <a href="https://github.com/search?q=%22Assisted-by%22+user%3Aggml-org&type=commits&ref=advsearch">mundane tasks at ggml-org</a> - nothing really impressive, b...

In a world where AI is informing more design choices, it’s easy to mistake predictions for certainties. This article introduces Probabilistic Design, a mindset that allows UX and product teams to accept uncertainty, decipher AI outputs with nuance, and make smart, adaptive decisions.

Socket now detects supply chain risks in project manifests, starting with missing lockfiles that can make dependency installs non-reproducible.

Get unified visibility into your email authentication posture and reach full DMARC enforcement with deeper reporting, record analysis, and SPF audits free for every Cloudflare customer.

<p><strong><a href="https://www.lutasecurity.com/post/the-fable-5-export-controls-harm-us-cyber-defense">The Fable 5 Export Controls Harm US Cyber Defense</a></strong></p>I <a href="https://simonwillison.net/2026/Jun/16/matteo-wong-the-atlantic/">quoted The Atlantic</a> quoting Kate Moussouris earlier, when I should have gone straight to the source. Here she is confirming that the "jailbreak" that got Claude Fable 5 banned under an export control ...

みなさまこんにちは、STORES モバイル開発本部の @marcy731 です。 今年もモバイル開発者にとってのお祭り、iOSDC Japan 2026 が 9月11日 (金) ~ 9月13日 (日) の期間で東京の有明セントラルタワーホール&カンファレンスで開催されます。 STORES では昨年に引き続き、iOSDC Japan 2026 に参加する学生のみなさんを対象とした参加支援を実施します。 iOSDC Japan は、全国のiOSエンジニアやモバイルアプリ開発者が集まる日本最大級の技術カンファレンスです。 iosdc.jp 全国の学生に、iOSDC Japan、iOSコミュニティの楽…

<blockquote cite="https://www.theatlantic.com/technology/2026/06/trump-anthropic-export-control-ai-race/687555/?gift=5MjKTLV9QwyU_J0HzTnanoWieJfkMhNH_YTT9pP_fhA"><p>Katie Moussouris, a cybersecurity expert and the CEO of Luta Security, told me that Anthropic shared with her a copy of the White House’s report on the Fable jailbreak to get her appraisal. (She said that she is not being paid by Anthropic.) The report, Moussouris said, involved IT experts asking Fable to help find and p...

こんにちは、LINEヤフー株式会社の福野です。先月開催されたGoogle I/O 2026に初めて参加してきました。本記事ではそんな初参加者の目線からGoogle I/Oの魅力を紹介するほか、当社で行...

<p><strong>TIL:</strong> <a href="https://til.simonwillison.net/cloudflare/captcha-on-at-least-one-ampersand">Cloudflare CAPTCHA on at least one ampersand</a></p> <p>I'm using Cloudflare's CAPTCHA (they call it a "Web Application Firewall > Custom rules > Managed Challenge" these days) to prevent crawlers from aggresively spidering my <a href="https://simonwillison.net/2017/Oct/5/django-postgresql-faceted-search/">faceted search engi...

Vercel Sandboxes can run uninterrupted sessions for up to 24 hours (up from 5 hours). This new max duration unlocks workloads that require longer runtimes, such as large-scale data processing, end-to-end testing pipelines, and long-lived agentic workflows.Pair with to maintain durable state across extended runs.persistent sandboxesThe 24 hour max duration is available on all Pro and Enterprise plans. Learn more about limits in the .documentationRead more

Your build cache is a trust boundary. When you cannot trust it, you ship broken artifacts downstream.

Four years after adopting react-admin, Caritas shares how CariNet now serves 65,000 users, integrates AI agents, and continues to grow. Proof that frameworks still matter in the age of AI.

When you migrate auth providers, you inherit password hashes you can't decrypt. Here's how to handle every major format.

Store, retrieve, update, and delete sensitive user data using Vault's full CRUD lifecycle (no cryptography expertise required).

How audience-bound tokens keep your MCP servers secure.

GLM 5.2 is now available on .AI GatewayBuilt for long-horizon tasks, GLM 5.2 carries project-level engineering context across a single task, runs long-running tasks more reliably, and follows engineering standards more consistently.The context window for this model has been upgraded to 1M tokens, up from 200K in GLM 5.1.To use GLM 5.2, set model to in the :zai/glm-5.2AI SDKAI Gateway provides a unified API for calling models, tracking usage and cost, and configuring retries, failover, and perfor

The Workflow SDK 5 beta now supports the standard and APIs across workflow and step boundaries.AbortControllerAbortSignalCreate a controller inside a workflow, pass its signal into one or more steps, and cancel in-flight operations using the same API already uses.fetchThat signal stays durable across suspensions and deterministic replay. When a step is running, it sees the cancellation, even when it's in a separate function invocation. Cancellation is also cooperative; steps have to inspect the

Workflow SDK now supports applications on Vercel.TanStack StartTanStack Start is built on Vite and , so the existing plugin works directly. Add it to alongside .Nitroworkflow/vitevite.config.tstanstackStart()From there, write workflow and step functions in standard TypeScript with and . They run as durable, resumable operations that survive restarts, sleep for days, and retry on failure, with compilation, queue configuration, and persistence handled by the plugin."use workflow""use step"Read the

Today we are releasing Babel 8. It's been 8 years since we released Babel 7. And that's not without reason.

The trojanized extensions use TinyGo-compiled WebAssembly and Solana transaction memos to resolve command-and-control infrastructure.

Customizable select is coming to Safari 27.

GitHub Copilot CLI for Beginners: Learn how to use slash commands to control your terminal AI agent.The post GitHub Copilot CLI for Beginners: Overview of common slash commands appeared first on The GitHub Blog.

This has been a long time coming, and I could not be more excited it’s finally here. And I know exactly who to thank for it. Our customers have been telling us to do this for a while now: Probably don’t call it Frontend anymore, you have a lot more offerings. The name Frontend Masters […]

A new repository-level dataset, published on GitHub under CC0-1.0, helps researchers and developers discover multilingual developer content across READMEs, issues, and pull requests.The post Accelerating researchers and developers building multilingual AI with a new open dataset appeared first on The GitHub Blog.

NGINX Ingress Controller 5.5.0 introduced ExternalAuth, a new Policy type that lets you define external authentication once in a Policy resource and apply it consistently across both VirtualServer and Ingress traffic paths. This is the first blog in a two part series that covers the ExternalAuth Policy, and is focused on: Why Use a Policy […]

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-agent/releases/tag/0.3a0">datasette-agent 0.3a0</a></p> <blockquote><ul><li>New tool, <code>execute_write_sql</code>, which requests user approval and then writes to a database - taking user permissions into account. <a href="https://github.com/datasette/datasette-agent/issues/27">#27</a></li></ul></blockquote><p>I add...

<p><strong><a href="https://www.axios.com/2026/06/15/anthropic-white-house-fable-mythos">"They screwed us": Personality clashes sent Anthropic's models offline</a></strong></p>Lots of "source familiar with the administration's thinking" and "source close to Anthropic" in this Axios piece, which is the best collection of behind-the-scenes gossip I've seen about the US government <a href="https://simonwillison.net/2026/Jun/13/us-go...

Vercel Functions using the Node.js and Python runtimes now support execution durations up to 30 minutes for Pro and Enterprise teams, more than 2x the previous 800 second limit. Support for additional runtimes is coming soon.Use longer-running Functions for work that needs more time to finish, including:Fluid Compute keeps long-running work cost-efficient. Active CPU billing only applies while your code is executing, and pauses while your Function is waiting on I/O such as AI model calls, databa

CSS functions, the alpha() function, Grid Lanes, some things about Dialog that you might not know, CSS Wordle, and more — this is What’s !important right now.What’s !important #13: @function, alpha(), CSS Wordle, and More originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

Cloudflare is deepening our investment in AI with the addition of team members from Ensemble AI, focusing on machine learning infrastructure and efficiency.

You can now add , a production-ready authentication to your Vercel app in just a few clicks. Auth0Built for modern frameworks like Next.js, Auth0 is an identity and access management platform for securing your apps and agentic workflows. This integration enables:Get started with on the .Auth0Vercel MarketplaceRead moreAutomatic provisioning of an Auth0 application that connects to your Vercel projectOut-of-the-box support for your Next.js applications using the Auth0 Next.js SDKComplete user man

<blockquote cite="https://wizardzines.com/comics/write-for-one-person/"><p>[...] Instead, I picture a specific person and I just write for them. Often this person is "me, but 3 years ago" or a good friend.</p></blockquote><p class="cite">— <a href="https://wizardzines.com/comics/write-for-one-person/">Julia Evans</a>, write for 1 person</p> <p>Tags: <a href="https://simonwillison.net/tags/writing">writing</a>, <a hre...

It doesn’t matter if it worksAn extremely good and important read.LLMs and performative productivityA rather detailed post that links out to some really interesting studies too.When to use (and not use) CSS shorthand propertiesAs I see it, margin, padding and border are safe as houses but there is evil out there, such as the flex shorthand.Being “good” at thingsJust a thoroughly delightful read, as per usual from Jim.The amazing mail sent to a video game publisherAn interesting look behind the c

MDN's MCP server brings MDN's documentation and browser compatibility data directly into your editor or IDE, giving your LLM or coding agent access to accurate, up-to-date web platform information.

pnpm 11.7 adds a frozenStore setting for installing against a read-only package store, a --batch flag for publishing a whole workspace in one request, scope-specific auth tokens, and full resolving installs delegated to pacquet. It also hardens lockfile alias handling, makes several install paths deterministic, and ships a number of publish and Windows fixes.

What "isolation" actually means at the key level, how to implement it with key context, and what your blast radius looks like when something goes wrong.

Why authentication and API access are two different things in Google OAuth, and what to do about it.

A complete guide to authorization in React Router v7, from roles and permissions to organization-scoped access and enterprise RBAC.

An analysis of 25 European train websites to discover which website performs best across the Core Web Vitals.

Hobby users can now create up to 100 Blob stores, up from 5. This gives teams more flexibility to organize data by project, environment, or region as applications grow. Storage, operations, and transfer limits still apply.Learn more in the .Blob documentationRead more

<p><strong><a href="https://www.normaltech.ai/p/why-ai-hasnt-replaced-software-engineers">Why AI hasn’t replaced software engineers, and won’t</a></strong></p>Arvind Narayanan and Sayash Kappor take on the question of AI job losses through the lens of a profession that is uniquely suited to AI disruption - software engineering.</p><blockquote><p>In this essay, we argue that there is enough evidence to reject the narrative that once AI capabi...

はじめに こんにちは！電気通信大学大学院 情報理工学研究科 修士1年の南村栞多と申します。2026年 ...

コーディングエージェントの自律性が向上し、並行して複数のエージェントを動かすことが当たり前になってきた今、エージェントの動きを逐一監視することは現実的ではなくなっています。そのため実装前に人間と AI の間で共通理解を形成することが重要になっています。この記事では、実装前の設計フェーズで要件を明確にし、人間と AI の間で共通理解を形成するためのスキル `/grill-me` について紹介します。

A look at how the Indaru Ecometrics plugin estimates website CO2 emissions using page weight, visitor device, location, and time on page.

<p>The <a href="https://blog.pyodide.org/posts/314-release/">Pyodide 314.0 release announcement</a> (via <a href="https://news.ycombinator.com/item?id=48462759">Hacker News</a>) includes news I've been looking forward to for a long time:</p><blockquote><p>You can now publish Python packages built for Pyodide (or any Python runtime compatible with <a href="https://pyodide.org/en/stable/development/abi.html">the PyEmscripten platform defined i...

<p><strong>Release:</strong> <a href="https://github.com/simonw/luau-wasm/releases/tag/0.1a0">luau-wasm 0.1a0</a></p> <p>See <a href="https://simonwillison.net/2026/Jun/13/publishing-wasm-wheels/">Publishing WASM wheels to PyPI for use with Pyodide</a> for details.</p> <p>Tags: <a href="https://simonwillison.net/tags/lua">lua</a>, <a href="https://simonwillison.net/tags/webassembly">webassembly</a>, <a ...

<p><strong>Research:</strong> <a href="https://github.com/simonw/research/tree/main/sqlite-column-provenance#readme">Mapping SQLite result columns back to their source `table.column`</a></p> <p>It would be neat if arbitrary SQL queries in <a href="https://datasette.io/">Datasette</a> could be rendered with additional information based on which columns from which tables were included in the results.</p><p>To build that, we would n...

Anthropic says the directive cited national security concerns over a narrow jailbreak, but offered no specific technical details.

You never needed Mythos to find your IDORs and business logic flaws. A look at what Anthropic shipped with Fable 5, and why infosec stays a people problem at heart.Category: News

On June 11th 2026, security researchers and the Arch Linux community disclosed a large-scale supply-chain attack against the Arch User Repository (AUR). Attackers hijacked more than 400 community packages and turned them into a malware delivery network. While the immediate blast radius is limited to Arch Linux systems, the campaign is a textbook example of how modern attackers compromise developers and CI infrastructure by abusing trust in open-source ecosystems.

<p><strong><a href="https://www.anthropic.com/news/fable-mythos-access">Statement on the US government directive to suspend access to Fable 5 and Mythos 5</a></strong></p>Well this is <em>nuts</em>:</p><blockquote><p>The US government, citing national security authorities, has issued an export control directive to suspend all access to Fable 5 and Mythos 5 by any foreign national, whether inside or outside the United States, incl...

Sansec discovered an active supply-chain attack hitting over 1.2 million sites that use the popular OptinMonster, TrustPulse and PushEngage Wordpress plugins, all operated by Wordpress giant Awesom...

Masonry and grid-lanes aren't just for creative, editorial layouts. A few lines of CSS helped make our CSS analysis page a lot more data-dense.

's native Nitro v3 integration is now in beta. Steps run inside the same bundled runtime as the rest of your app, instead of a separate bundle. Nitro's and other server-side APIs work directly inside functions.Workflow SDKuseStorage()"use step"The Nitro dev server also serves the workflow web UI at . Open it in your browser to inspect, monitor, and debug workflow runs./_workflowWorkflow routes are now bundled by Nitro as part of the app build. Dependencies are traced, and unused code is tree-sha

<p><strong><a href="https://tools.simonwillison.net/openai-webrtc">OpenAI WebRTC Audio Session, now with document context</a></strong></p>I built the first version of this tool <a href="https://simonwillison.net/2024/Dec/17/openai-webrtc/">in December 2024</a> to try out the then-new OpenAI WebRTC API for interacting with their realtime audio models.</p><p>Last month OpenAI <a href="https://openai.com/index/advancing-voice-intellige...

A network of 152 Chrome live wallpaper extensions hid ad tracking and made extension-driven traffic look like Google search clicks.

Better orchestration, fewer handoffs, faster progress, without a single new knob.The post How we made GitHub Copilot CLI more selective about delegation appeared first on The GitHub Blog.

A practitioner breakdown of LLM token theft: what it is, how the abuse works, the signals that catch it, and why traditional tools miss it.

<blockquote cite="https://www.mcsweeneys.net/articles/ai-economics-for-dummies"><p>Jenny owns a crematorium. John’s propane company gives her a $20 billion investment in return for 5 percent of her operation. Jenny throws $10 billion into the incinerator, then pays John $10 billion to buy propane to burn that money to ashes. John reports that his AI investments have generated $10 billion in revenue this quarter and that he owns 5 percent of a $100 billion business. A reporter from &...

Using our 3, 2, 1 state system, we can make popovers animate on "the way in" and "the way out" just like we did with dialogs in Part 1.

Why isn't my 3D view transition working?! Sunkanmi tackles this frustration and offers an elegant fix for it.Why Isn’t My 3D View Transition Working? originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

One of those nuances to keep in your back pocket when writing for screen readers.There’s no need to include ‘navigation’ in your navigation labels originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

Cloudflare Security Insights system now processes over 120 scans per second, providing frequent insights for all customers. By optimizing Kafka consumers, Postgres queries, and our API, we scaled our throughput 10x without adding hardware.

技術情報のキャッチアップは、業務が忙しくなると最初に削られます。意志の問題ではなく、情報収集が時間を細かく、けれど継続的に消費する活動だからだと思っています。newmoでは立派な仕組みを作るより、忙しい週でも続く軽いものとしてエンジニアミートアップを行なっています。 Engineering Meetup とは newmoには「Engineering Meetup」という場があります。週に一度、エンジニアリングに興味のあるメンバーが話題を持ち寄る1時間のランダムトークです。毎週金曜の夕方に、所属や雇用形態を問わず誰でも参加できます。テーマはWebでもモバイルでもクラウドでも自動運転でも、最近読ん…

We have officially moved past the era of humanoid robots as mere public relations stunts. As they become increasingly lifelike, society may soon face profound social, psychological, and ethical challenges. What happens when the boundary between humans and machines becomes almost impossible to distinguish?

In compliance , access to Claude Fable 5 is now suspended on for all users. We do not know if or when access to the model will be restored.with the US Government's directiveAI GatewayYou can still access and use other Anthropic models through AI Gateway.Read more

HighlightsFive core rules now highlight smaller ranges of code to avoid shadowing other problems in editors.Rules max-lines-per-function, max-nested-callbacks, and max-statements now highlight only the function header instead of the entire function.Rules max-depth and no-with now highlight only the first keyword.Several errors in the calculations have been corrected in the max-depth and max-nested-callbacks rules. These bug fixes can result in reporting more linting errors in existing code.Featu

Amasty Order Attributes contains an unauthenticated arbitrary file upload vulnerability. An attacker can upload a file of any type and name to the store's media directory with no login, no session ...

A practical checklist for platform teams securing agents, MCP servers, and coding assistants before the next credential leak

Kimi K2.7 Code from Moonshot AI is now available on .AI GatewayK2.7 Code is a coding model built for long-horizon programming tasks, generalizing across scenarios including frontend development, DevOps, and performance optimization. The model has a native multimodal architecture that supports text and vision input, and always runs in thinking mode.To use K2.7 Code, set model to in the :moonshotai/kimi-k2.7-codeAI SDKPass an image alongside a prompt to use the model's multimodal input:AI Gateway

introduces , a single API for running established agent harnesses, including Claude Code, Codex, and Pi. AI SDK has always let you switch models without rewriting your agent. Now you can switch the harness the same way.AI SDK 7HarnessAgentWrite the agent once. Use the best harness available.Today. In 3 months. A year from now.Harnesses manage the components above a model call, including skills, sandboxes, sessions, permission flows, compaction, runtime configuration, and sub-agents. The AI SDK n

Vercel Drop lets you deploy a file or folder by dragging it into your browser. You don't need Git, the , or any local setup.Vercel CLIDrop a project onto , pick a team and project name, and select . Vercel will create a new project, upload your files, and publish them straight to production with a live URL you can share. All in a matter of seconds.vercel.com/dropDeployVercel Drop handles more than static files:- Framework projects: Vercel detects your framework (e.g., Next.js) and builds it. Exp

<p>After two days of experience with <a href="https://simonwillison.net/2026/Jun/9/claude-fable-5/">Claude Fable 5</a> I think the best way to describe it is <strong>relentlessly proactive</strong>. It knows a whole lot of tricks and it will deploy pretty much any of them to get to its goal.</p><p>I'll illustrate this with an example. I was hacking on <a href="https://agent.datasette.io/">Datasette Agent</a> today when I noticed a glitch: a ...

Web未経験MLエンジニアが社内プロダクト開発でAIコーディングにどハマりするまで はじめに こんに ...

In May, we experienced nine incidents that resulted in degraded performance across GitHub services.The post GitHub availability report: May 2026 appeared first on The GitHub Blog.

Socket’s first CISO brings deep experience securing high-growth SaaS companies as open source supply chain threats accelerate.

Miasma and Hades worms are spreading across npm and PyPI, running on import and project open. See how Dev Machine Guard's Suspicious Files detects them.

Alerts are more trustworthy and actionable when noise is reduced. See how we improved the verification step with context-aware LLM reasoning.The post Making secret scanning more trustworthy: Reducing false positives at scale appeared first on The GitHub Blog.

<p><strong>Release:</strong> <a href="https://github.com/simonw/datasette/releases/tag/1.0a33">datasette 1.0a33</a></p> <p>This alpha is a significant step on the road to a stable 1.0, finally extending the <code>?_extra=</code> pattern I introduced <a href="https://docs.datasette.io/en/1.0a3/changelog.html#a3-2023-08-09">in Datasette 1.0a3</a> to cover queries and rows in addition to tables. That pattern is also <a href="http...

npm v12 makes install scripts opt-in by default, closing the install-time execution path behind a year of npm supply chain worms from Nx to Red Hat.Category: News

Aikido now supports Docker Hardened Images with built-in VEX integration, helping teams reduce CVE noise and focus on container vulnerabilities that actually need attention.Category: Product & Company Updates

No plugin needed. A small Lua script that adds closing pairs only where you actually write code.

<p><strong>Release:</strong> <a href="https://github.com/simonw/asyncinject/releases/tag/0.7">asyncinject 0.7</a></p> <p>I built this utility library to support an <code>asyncio</code> dependency injection pattern a few years ago. I was using it with Datasette and Claude Fable 5 spotted some bugs in the dependency which it then fixed for me. It's a very proactive model!</p> <p>Tags: <a href="https://simonwillison.net/tags/asyn...

Okara on Vercel4 billion tokens processed daily across a multi-provider AI stack on VercelAI CMOs actively managing growth for 120,000+ businessesEight sub-agents handling SEO, GEO, social, content, Reddit, and Hacker NewsNew AI models available to users the same day they shipOkara is an AI CMO that directs a team of specialized sub-agents to drive marketing, so founders don't have to. Give Okara your website URL, and the AI CMO builds a marketing strategy, develops a brand voice, and activates

<p><strong><a href="https://www.wired.com/story/anthropic-responds-to-backlash-on-claudes-secret-sabotage-on-ai-research/">Anthropic Walks Back Policy That Could Have ‘Sabotaged’ AI Researchers Using Claude</a></strong></p>Big scoop for Maxwell Zeff at Wired:</p><blockquote><p>“We’re changing Fable 5’s safeguards for frontier LLM development to make them visible.” Anthropic said in a statement to WIRED. “We made the wrong tradeoff and we apo...

Every val gets its own blobs

WASI 0.3 is official, and async is now native to WebAssembly Components. The WASI Subgroup voted to ratify WASI 0.3.0, rebasing WASI onto the WebAssembly Component Model’s async primitives. The 0.3.0 specification is now stable, and runtime and toolchain support is landing now.

Upgrade guide for Fumadocs OpenAPI v11.

pnpm used to expand $ placeholders everywhere it found them — including in the .npmrc and pnpm-workspace.yaml files that live inside the repository you just cloned. That turned out to be a way for a malicious repository to steal the secrets in your environment. As of v10.34.2 and v11.5.3, pnpm stops expanding environment variables in repository-controlled registry and credential settings.

pnpm 11.6 adds a file-free way to supply registry authentication through npmconfig//… and pnpmconfig//… environment variables, raises the default network concurrency, and skips full re-resolution when only pnpm-lock.yaml is missing. It also infers platform fields for optional dependencies so foreign-platform binaries are never downloaded.

Today we are excited to release React Native 0.86!

The is now available in Grok Build.Vercel pluginGrok can now draw on Vercel knowledge as you work. Real-time activity, including file edits and terminal commands, dynamically injects the relevant knowledge into context, so answers stay aligned with current platform APIs and recommended patterns.Install it in either of two ways:Learn more about the Vercel plugin in the .documentationRead moreAdd to your prompt and Grok will recommend installing it in chatvercelOpen the Grok Build marketplace with

Azure is now a provider for DeepSeek V4 Pro and V4 Flash on .AI GatewayRequests to either model can route through Azure alongside the existing providers for another failover path. No code changes are required: default routing considers Azure automatically, and if a provider fails the gateway falls back through the remaining list.If you want requests to try Azure first, use in the gateway provider options to prefer Azure while keeping the other providers as fallback for or in the :orderdeepseek/d

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-agent/releases/tag/0.2a0">datasette-agent 0.2a0</a></p> <p>Highlights from the release notes:</p><blockquote><ul><li>Tools can now ask the user questions mid-execution. Tools that declare a <code>context</code> parameter receive a <code>ToolContext</code> object, and <code>await context.ask_user(...)</code> can ask a y...

<p><strong><a href="https://blog.google/innovation-and-ai/technology/developers-tools/diffusion-gemma-faster-text-generation/">DiffusionGemma</a></strong></p>Last May Google briefly released an experimental Gemini Diffusion model. I <a href="https://simonwillison.net/2025/May/21/gemini-diffusion/">tried the preview at the time</a> and recorded it running at 857 tokens/second. It was an exciting model, but Google made no further announcements about...

Developers are coding everywhere. AI agents, Slack bots, and MCP servers have made the developer device the biggest security blindspot.Category: News

Replit is integrating Socket Firewall into its AI-powered development experience to help protect builders from malicious open source packages.

Install and configure LSP servers for GitHub Copilot CLI, replacing brute-force grep/decompile with real code intelligence. The post Give GitHub Copilot CLI real code intelligence with language servers appeared first on The GitHub Blog.