<p>I just sent the March edition of my <a href="https://github.com/sponsors/simonw/">sponsors-only monthly newsletter</a>. If you are a sponsor (or if you start a sponsorship now) you can <a href="https://github.com/simonw-private/monthly/blob/main/2026-03-march.md">access it here</a>. In this month's newsletter:</p><ul><li>More agentic engineering patterns</li><li>Streaming experts with MoE models on a Mac</li><li>Model re...

はじめに こんにちは！PR TIMES第二開発部の加来安東です。 本記事では、AWS CloudTrail の監査ログを Google Cloud（BigQuery）上で分析できるように整備した事例についてご紹介します。 […]

AIと不安で眠れない夜。 あ〜〜〜〜〜今日もTwitterのタイムラインはAI、Claude、OpenClaw、エーアイ、Codex、Gemini、ハーネスの話題で持ち切りだわ。なんだよハーネスって。自意識過剰なホモサピエンスがAI様をコントロールできると考えているのか！？奴らの成長速度を考えたら、数年以内に制御できる範囲なんてとっくに飛び出して二足歩行でコンビニ行ってオハヨーのブリュレアイス買って食っとるわ。あれうますぎだろ。 あ〜〜〜〜〜わかってるよ。Twitter呼びは時代遅れだって？そのツッコミも飽きたわ！俺は死ぬまでTwitterって言うからいちいち気にしないでくれ！ ジュニアやミド…

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-llm/releases/tag/0.1a6">datasette-llm 0.1a6</a></p> <blockquote><ul><li>The same model ID no longer needs to be repeated in both the default model and allowed models lists - setting it as a default model automatically adds it to the allowed models list. <a href="https://github.com/datasette/datasette-llm/issues/6">#6</a></li><li>Improved docu...

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-enrichments-llm/releases/tag/0.2a1">datasette-enrichments-llm 0.2a1</a></p> <blockquote><ul><li>The <code>actor</code> who triggers an enrichment is now passed to the <code>llm.mode(... actor=actor)</code> method. <a href="https://github.com/datasette/datasette-enrichments-llm/issues/3">#3</a></li></ul></blockquote&...

The Axios compromise shows how time-dependent dependency resolution makes exposure harder to detect and contain.

Recent attacks on open source focus on exfiltrating secrets; here are the prevention steps you can take today, plus a look at the security capabilities GitHub is working on.The post Securing the open source supply chain across GitHub appeared first on The GitHub Blog.

/fleet lets Copilot CLI dispatch multiple agents in parallel. Learn how to write prompts that split work across files, declare dependencies, and avoid common pitfalls.The post Run multiple agents at once with /fleet in Copilot CLI appeared first on The GitHub Blog.

記事は ics.media へアクセスしてご覧ください。

These are the historical pranks I consider the top 10 most noteworthy, rather than the “best.” You’ll see that some of them crossed the line and/or backfired.Front-End Fools: Top 10 April Fools’ UI Pranks of All Time originally published on CSS-Tricks, which is part of the DigitalOcean family. You should get the newsletter.

NGINX Gateway Fabric 2.5.0 is here, and this one is a big deal. The release doubles down on enterprise-grade capabilities while keeping us at the forefront of Gateway API conformance. NGF remains one of the top conformant implementations of the Gateway API spec, and this release reinforces why. Here’s what’s new. Gateway API 1.5 Conformance […]

A deep sniff of the new CSS Olfactive API, a set of proposed features for immersive user experiences using smell.Sniffing Out the CSS Olfactive API originally published on CSS-Tricks, which is part of the DigitalOcean family. You should get the newsletter.

Eight years ago, we launched 1.1.1.1 to build a faster, more private Internet. Today, we’re sharing the results of our latest independent examination. The result: our privacy protections are working exactly as promised.

Today we are launching the beta of EmDash, a full-stack serverless JavaScript CMS built on Astro 6.0. It combines the features of a traditional CMS with modern security, running plugins in sandboxed Worker isolates.

DockerfileやComposeファイルのイメージ参照に@sha256:<digest>を自動で追加するCLIツール dockerfile-pin を作りました。GitHub: azu/dockerfile-pinなぜ作ったかtrivyへのサプライチェーン攻撃などの事件を見ていると、次に狙われるのはDocker Hubかなと思ったのがきっかけです。CIでDocker Hubへのpushをしているケースは多いので、そこに悪意あるコードが混入する事件は今後も起きるだろうと思っています。Dockerイメージのタグ（例：node:20）はデフォルトで可変（mutable）です。同じタグ名で中身を上書きできるため、悪意ある第三者がレジストリへのアクセスを得た場合、既存タグに対して改竄されたイメージをpushできます。Can a Docker Hub tag have its content changed? - Docker Community ForumsDocker Hubなどのレジストリは安全とは限りません。npmのようにトークンの制限が厳しくなっていたり、デフォルトでタグ...

Design principles with references, examples, and methods for quick look-up. Brought to you by Design Patterns For AI Interfaces, **friendly video courses on UX** and design patterns by Vitaly.

デザインデータ（Figma）v2.11.1を公開しました。

テキストエリアに文字数カウンターを追加。プログレスインジケーターを新規追加。

本ウェブサイトのソースコードの可読性を向上しました。

We’re excited to announce that RSS feed support for blog.jetbrains.com and all JetBrains product blogs is now generally available. After months of development and rigorous testing across 47 RSS readers on 6 platforms, we’re proud to deliver a reliable, standards-compliant way for you to read JetBrains content in the environment of your choice. What You […]

Browse Supabase docs with grep, find, and cat.

株式会社はてなに入社しました 株式会社はてなに入社しました - hitode909の日記

Claude Code のスキルが数十個に増えてきたのですが、全員に一律で適用されるのがつらくなってきたので、Plugin Marketplace を使ってオプトイン配布に移行しました。 スキルが増えると何が起きるか Claude Code のスキルは .claude/skills/ に配置すると、リポジトリを開いた全員に適用されます。数個なら問題ないのですが、数十個に増えてくるとスキルの description マッチングで意図しないスキルまで発火するようになってきました。QA 向けのスキルがバックエンドエンジニアの作業中に反応したり、フロントエンド向けのスキルがインフラの作業で発火したりと…

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-extract/releases/tag/0.3a0">datasette-extract 0.3a0</a></p> <ul><li>Now uses <a href="https://github.com/datasette/datasette-llm">datasette-llm</a> to manage model configuration, which means you can control which models are available for extraction tasks using the <code>extract</code> purpose and <a href="https://github.com/datasette/datasette-l...

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-enrichments-llm/releases/tag/0.2a0">datasette-enrichments-llm 0.2a0</a></p> <blockquote><ul><li>This plugin now uses <a href="https://github.com/datasette/datasette-llm">datasette-llm</a> to configure and manage models. This means it's possible to <a href="https://github.com/datasette/datasette-enrichments-llm/blob/0.2a0/README.md#configuration">sp...

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-llm-usage/releases/tag/0.2a0">datasette-llm-usage 0.2a0</a></p> <blockquote><ul><li>Removed features relating to allowances and estimated pricing. These are now the domain of <a href="https://github.com/datasette/datasette-llm-accountant">datasette-llm-accountant</a>.</li><li>Now depends on <a href="https://github.com/datasette/datasette-l...

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-llm/releases/tag/0.1a5">datasette-llm 0.1a5</a></p> <blockquote><ul><li>The <code>llm_prompt_context()</code> plugin hook wrapper mechanism now tracks prompts executed within a chain as well as one-off prompts, which means it can be used to track tool call loops. <a href="https://github.com/datasette/datasette-llm">#5</a></li></ul&gt...

<blockquote cite="https://www.greptile.com/blog/ai-slopware-future"><p>I want to argue that AI models will write good code because of economic incentives. Good code is cheaper to generate and maintain. Competition is high between the AI models right now, and the ones that win will help developers ship reliable features fastest, which requires simple, maintainable code. Good code will prevail, not only because we want it to (though we do!), but because economic forces demand it. Mark...

こんにちは。LINEヤフー株式会社で認証・認可基盤Athenzの開発・運用を担当している金 廷祐（Kim, Jeongwoo）です。この記事では、AIエージェントがさまざまなサービスと連携する際のトー...

We analyzed 1,140 early-stage funding rounds in developer tools, cybersecurity, and infrastructure from January 2025 through March 2026. Here are the top VCs and investors writing checks, the metrics that got companies funded, and the exact person to email based on what you're building.

React Admin is a great framework to build admin interfaces. However we can do better, we can do simpler, we can do faster. How? By leveraging the power of old and robust technology: COBOL.

This month, a new best practices guide was added to the Svelte docs. Check it out, if you haven't already!On the code side, the Svelte MCP got even easier to use with improvements to the official OpenCode package. Combined with the improvements to svelte.config.js, server-side error boundaries in SvelteKit and better types all around, this month is full of great improvements!As always, there's plenty in the showcase too!What's new in Svelte and SvelteKitMCP: Svelte's OpenCode config can now be f

AI agents don't have phones, fingerprints, or sessions. The identity infrastructure they need looks nothing like what we built for humans.

What they are, how they work, and why modern password security has moved beyond them.

A practical comparison of the leading multi-factor authentication solutions: what they're good at, where they fall short, and how to choose the right one for your stack.

Send Playwright test runs to Checkly with traces, videos, screenshots, flaky test visibility, and session history, then take key tests into monitoring.

<p><strong><a href="https://socket.dev/blog/axios-npm-package-compromised">Supply Chain Attack on Axios Pulls Malicious Dependency from npm</a></strong></p>Useful writeup of today's supply chain attack against Axios, the HTTP client NPM package with <a href="https://www.npmjs.com/package/axios">101 million weekly downloads</a>. Versions <code>1.14.1</code> and <code>0.30.4</code> both included a new dependency called <co...

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-llm/releases/tag/0.1a4">datasette-llm 0.1a4</a></p> <blockquote><ul><li>Ability to <a href="https://github.com/datasette/datasette-llm/blob/0.1a4/README.md#model-references-with-custom-api-keys">configure different API keys for models based on their purpose</a> - for example, set it up so enrichments always use <code>gpt-5.4-mini</code> with ...

<p><strong>Release:</strong> <a href="https://github.com/simonw/llm-all-models-async/releases/tag/0.1">llm-all-models-async 0.1</a></p> <p>LLM plugins can define new models in both <a href="https://llm.datasette.io/en/stable/plugins/tutorial-model-plugin.html">sync</a> and <a href="https://llm.datasette.io/en/stable/plugins/advanced-model-plugins.html#async-models">async</a> varieties. The async variants are most common for API-b...

<p><strong>Release:</strong> <a href="https://github.com/simonw/llm/releases/tag/0.30">llm 0.30</a></p> <blockquote><ul><li>The <a href="http://llm.datasette.io/en/stable/plugins/plugin-hooks.html#plugin-hooks-register-models">register_models() plugin hook</a> now takes an optional <code>model_aliases</code> parameter listing all of the models, async models and aliases that have been registered so far by other plugins...

Today, alongside our colleagues at Google and Mozilla, we announced JetStream 3.0, a major update to the cross-browser benchmark suite.

<p><strong>Release:</strong> <a href="https://github.com/simonw/llm-echo/releases/tag/0.4">llm-echo 0.4</a></p> <blockquote><ul><li>Prompts now have the <code>input_tokens</code> and <code>output_tokens</code> fields populated on the response.</li></ul></blockquote> <p>Tags: <a href="https://simonwillison.net/tags/llm">llm</a></p>

I used coding agents to build agents that automated part of my job. Here's what I learned about working better with coding agents.The post Agent-driven development in Copilot Applied Science appeared first on The GitHub Blog.

There is a category of apps that help record short-form videos, mostly screencasts. For those of you who work on products that you need to showcase/teach people how to use, video can be super effective. Here’s a list of the ones I’ve seen for reference: I’ve been trying them out for videos like this, but […]

<p><strong>Release:</strong> <a href="https://github.com/simonw/llm-echo/releases/tag/0.3">llm-echo 0.3</a></p> <blockquote><ul><li>Mechanisms for <a href="https://github.com/simonw/llm-echo/blob/0.3/README.md#tool-calling">testing tool calls</a>. #3</li><li>Mechanism for <a href="https://github.com/simonw/llm-echo/blob/0.3/README.md#raw-responses">testing raw responses</a>. #4</li><li>New <...

Short n’ sweet but ever so neat, this issue covers light/dark favicons, @mixin, anchor-interpolated morphing, object-view-box, new web features, and more.What’s !important #8: Light/Dark Favicons, @mixin, object-view-box, and More originally published on CSS-Tricks, which is part of the DigitalOcean family. You should get the newsletter.

Magic Transit customers can now program their own DDoS mitigation logic and deploy it across Cloudflare’s global network. This enables precise, stateful mitigation for custom and proprietary UDP protocols.

With the new month just around the corner, could there be a better occasion to freshen up your desktop? If you’re looking for some unique and inspiring wallpapers to accompany you on all those adventures that April may bring — and maybe spark some new ideas, too — well, this post has got you covered.

Codex プラグインを使用すると、Claude Code から Codex を呼び出してコードレビューをしたり、タスクを委任するといったことが簡単にできるようになります。この記事では、Codex プラグインの使用方法と、どのような方法で Codex を呼び出しているのかといった内部の仕組みについて紹介します。

「カミナシ レポート」の開発・運用をしている、AWS インフラが得意な Security Engineering の furuya です（属性過多）。妙に流行り物に乗っかるときがあるのですが、「超かぐや姫!」を見てきました。よかったです。それはさておき今回は「カミナシ レポート」の開発におけるセキュリティ向上施策のお話です。 カミナシでは開発チームに Security Engineer を派遣する取り組みがあります。 kaminashi-developer.hatenablog.jp 気がつけば、この記事の公開から1年が経過していました。ここでそれを振り返ってみたいと思います。 サービスにおけ…

話すこと LLM プロバイダー（Azure OpenAI / Vertex AI / Anthrop ...

こんにちは！ サイボウズ株式会社 デザインテクノロジストの saku (@sakupi01) です。 はじめにサイボウズは 2025 年 4 月より、W3C のメンバーに加入しました。https://blog.cybozu.io/entry/joining-w3c標準化プロセスに関わることができるようになるための最初の一歩として、フロントエンドエンジニアの一部のメンバーは積極的に Web 標準のキャッチアップを行っています。そこで、毎月メンバーが興味を持った Web 標準に関する話題や、実際に標準化プロセスに関わることができた場合にはその報告などを 1 つの記事としてまとめ、...

A supply chain attack on Axios introduced a malicious dependency, [email protected], published minutes earlier and absent from the project’s GitHub releases.

こんにちは。 AI 事業本部 AI クリエイティブカンパニー BPO 事業部のエンジニアの佐藤 (@ ...

こんにちは。LINEヤフー研究所の大神と田口です。パスワードを使わない認証方法として、「パスキー（Passkey）」を目にする機会が増えてきました。パスキーを使う認証（パスキー認証）では、端末の画面ロ...

こんにちは、PR TIMESでインターンをしている笹山雷雅です。 レビュー中や検証中に、いま触っているブランチをそのまま残したまま、別ブランチの挙動を確認したくなる場面は少なくありません。 ただ、git switch を […]

March 2026 - Astro 6, CloudCannon CMS Partnership, Astro Together London, and more!

March always seems to be my life’s busiest month.Things I wrote and made“The two kinds of error”: in my mind, software errors are divided into two categories: expected and unexpected errors. I finally wrote up this idea I’ve had for a long time.“All tests pass” is a short story about a strange, and sorta sad, experience I had with a coding agent.Inspired by others, I published a disclaimer about how I use generative AI to write this blog. My main rule of thumb: the final product must be word-for

At 1Password, our mission is simple: to protect people’s most critical information, their credentials. At the time of writing this post, I personally have 291 items in my vault, so the long-term confidentiality of this data is critical to myself and every 1Password user. We are thrilled to announce the first major milestone in our post-quantum cryptography (PQC) journey, the successful deployment of PQC on 1Password’s web application. If you’re using a PQC-capable browser, such as Chrome or Fire

Most organizations can tell you which apps sit behind SSO. Far fewer can tell you what other apps teams are using, or who has access to the credentials.Shared and sensitive non-SSO logins remain some of the hardest access paths to govern. Credentials are often tied to individuals, scattered across vaults and browsers, and difficult to rotate or revoke when roles change. For many teams, this creates a gap in their Zero Trust strategy.For the last several months, we’ve been hard at work connecting

Cookie syncing and credential injection get agents past login screens, but they break every security assumption your app relies on.

How to design AI agents that do less, prove more, and stay within boundaries your security team can actually audit.

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-files/releases/tag/0.1a3">datasette-files 0.1a3</a></p> <p>I'm working on integrating <code>datasette-files</code> into other plugins, such as <a href="https://github.com/datasette/datasette-extract">datasette-extract</a>. This necessitated a new release of the base plugin.</p><blockquote><ul><li><code>owners_can_edit</co...

目次 はじめに 背景と課題 避難訓練の全体像 GUIベースのツールを選定した理由 AIによるシナリオ ...

<blockquote cite="https://twitter.com/ggerganov/status/2038674698809102599"><p>Note that the main issues that people currently unknowingly face with local models mostly revolve around the harness and some intricacies around model chat templates and prompt construction. Sometimes there are even pure inference bugs. From typing the task in the client to the actual result, there is a long chain of components that atm are not only fragile - are also developed by different parties. So it...

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-llm/releases/tag/0.1a3">datasette-llm 0.1a3</a></p> <p>Adds the ability to configure <a href="https://github.com/datasette/datasette-llm/tree/0.1a3#purpose-specific-configuration">which LLMs are available for which purpose</a>, which means you can restrict the list of models that can be used with a specific plugin. <a href="https://github.com/datasette/datasette-...

Learn how to secure your projects and keep them safe with GitHub Advanced Security.The post GitHub for Beginners: Getting started with GitHub security appeared first on The GitHub Blog.

Even if you nest details elements, you can ensure only one level of them is open at a time, making a menu you can drill down (and up!) from.

Hello, and welcome to the first State of Flint blog post! These posts explain the high-level status of the Flint project - what's been done, what's coming up next, and what's being pushed to the backlog. For this first post, we'll cover progress made from Flint's start in 2025 through the first few months of 2026.

<p>Trip Venturella released <a href="https://www.estragon.news/mr-chatterbox-or-the-modern-prometheus/">Mr. Chatterbox</a>, a language model trained entirely on out-of-copyright text from the British Library. Here's how he describes it in <a href="https://huggingface.co/tventurella/mr_chatterbox_model">the model card</a>:</p><blockquote><p>Mr. Chatterbox is a language model trained entirely from scratch on a corpus of over 28,000 Victorian-era Bri...

That gap between "the form works" and "the business works" is something we don't really tend to discuss much as front-enders. We focus a great deal on user experience, validation methods, and accessibility, yet we overlook what the data does once it leaves our controlForm Automation Tips for Happier User and Clients originally published on CSS-Tricks, which is part of the DigitalOcean family. You should get the newsletter.

If you’ve ever tried to build a data table with a sticky header and a sticky first column, you know the pain. You’d think a simple position: sticky with top: 0 and left: 0 would be enough, but the reality was that only one of both would stick.A recent change to CSS fixes this: position: sticky now plays nice with single-axis scrollers, allowing you to have sticky elements that track different scroll containers on different axes. This change is available in Chrome 148.

If your design system can only apply `loading=lazy` or `fetchpriority=high` blindly, it may be safer not to apply them at all.

こんにちは！第一開発部でエンジニアとしてインターンをしていた三宅（@pure_notchman)です。PR TIMESのインターンを卒業することになったため、これまで取り組んできた開発や学びについて振り返りたいと思います […]

We are opening our advanced Client-Side Security tools to all users, featuring a new cascading AI detection system. By combining graph neural networks and LLMs, we've reduced false positives by up to 200x while catching sophisticated zero-day exploits.

<p><strong>Release:</strong> <a href="https://github.com/simonw/llm-mrchatterbox/releases/tag/0.1">llm-mrchatterbox 0.1</a></p> <p>See <a href="https://simonwillison.net/2026/Mar/30/mr-chatterbox/">Mr. Chatterbox is a (weak) Victorian-era ethically trained model you can run on your own computer</a>.</p> <p>Tags: <a href="https://simonwillison.net/tags/llm">llm</a></p>

NestJS is code-first by default meaning decorators describe your API, and the spec is generated from code. But decorators don't enforce anything at compile time. This post shows how to flip the flow to generate controller method types from an OpenAPI spec and let TypeScript catch contract drift before reaching production.

Read March 2026 Security Releases

Sansec is tracking a mass exploitation wave of the PolyShell vulnerability that hit hundreds of online stores within a single hour today. The attacks are ongoing: new victims appear every minute.N...

How AI agents get hijacked, poisoned, and over-privileged, and why identity is the fix for most of it.

How comparing login timestamps and locations catches credential theft before attackers get in.

Let users sync their GitLab projects in your app, using a fresh access token, without writing any OAuth logic.

はじめに こんにちは。AmebaLIFE事業本部エンジニアのsatominです。 この記事では、ビジ ...

ABEMA バックエンドエンジニアの大真です。 ABEMAのサブスクリプションシステムをリファクタリ ...

<p><strong><a href="https://github.com/chenglou/pretext">Pretext</a></strong></p>Exciting new browser library from Cheng Lou, previously a React core developer and the original creator of the <a href="https://github.com/chenglou/react-motion">react-motion</a> animation library.</p><p>Pretext solves the problem of calculating the height of a paragraph of line-wrapped text <em>without touching the DOM</em>. The usual way of d...

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/pretext-explainer">Pretext — Under the Hood</a></p> <p>See <a href="https://simonwillison.net/2026/Mar/29/pretext/">my notes on Pretext here</a>.</p>

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/python-vulnerability-lookup">Python Vulnerability Lookup</a></p> <p>I learned that the <a href="https://osv.dev/">OSV.dev</a> open source vulnerability database has an open CORS <a href="https://google.github.io/osv.dev/api/">JSON API</a>, so I had Claude Code build this <a href="https://simonwillison.net/2025/Dec/10/html-tools/">HTML tool</a> for past...

<blockquote cite="https://interconnected.org/home/2026/03/28/architecture"><p>The thing about agentic coding is that agents grind problems into dust. Give an agent a problem and a while loop and - long term - it’ll solve that problem even if it means burning a trillion tokens and re-writing down to the silicon. [...]</p><p>But we want AI agents to solve coding problems quickly and in a way that is maintainable and adaptive and composable (benefiting from improvements els...

みなさんにもマウスホバーで表示されるバルーン内のリンクが開けなくてイラついた経験があるかと思います. リンクにカーソルを移動しようとすると閉じてしまうバルーン 丁寧に吹き出しの三角形の部分を通ったときだけリンクに辿り着ける. イライラ棒か? こんな体験は今すぐ滅ぼしましょう. Web なら floating-ui を使うと, そもそものバルーン自体の実装も簡単にできますし, この問題への対策も 1 行で済みます. 対策 1. バルーンが閉じるのを遅延させる リンクにカーソルを合わせようとするとマウスホバーが外れ, その瞬間にバルーンが閉じてしまうのが問題の原因です. ということで, 素朴にはバ…

Cline Kanban は人間が数十個のエージェントを運用するうえで正気を保つためにはどうすればいいか、という問いに対する 1 つの答えとして、Cline が開発したツールです。Cline Kanban はカンバン方式のビューを提供します。各カードは稼働中のエージェントを表しており、どのエージェントが実行中で、どのエージェントが作業がブロックされているのか、どのエージェントが完了しているのかを一目で把握できるようになっています。

2026 年 3 月末、Figma の MCP サーバーに Figma のキャンバスを直接操作できる `use_figma` ツールが追加されました。`use_figma` ツールは Figma Plugin API を通じて Figma ファイル上で JavaScript を直接実行する汎用ツールとして設計されている点が特徴です。この記事では、実際に `use_figma` ツールを使用して Figma のキャンバスを操作する方法を試してみます。

<p><strong>Release:</strong> <a href="https://github.com/simonw/datasette-showboat/releases/tag/0.1a2">datasette-showboat 0.1a2</a></p> <p>I added an option to export a Markdown file from my app that lets Showboat <a href="https://simonwillison.net/2026/Feb/17/chartroom-and-datasette-showboat/#showboat-remote-publishing">incrementally publish updates</a> to a remote server.</p>

<blockquote cite="https://github.com/chardet/chardet/issues/334#issuecomment-4098524555"><p>FWIW, IANDBL, TINLA, etc., I don’t currently see any basis for concluding that chardet 7.0.0 is required to be released under the LGPL. AFAIK no one including Mark Pilgrim has identified persistence of copyrightable expressive material from earlier versions in 7.0.0 nor has anyone articulated some viable alternate theory of license violation. [...]</p></blockquote><p class="cit...

<p>I have a new laptop - a 128GB M5 MacBook Pro, which early impressions show to be <em>very</em> capable for running good local LLMs. I got frustrated with Activity Monitor and decided to vibe code up some alternative tools for monitoring performance and I'm very happy with the results.</p><p>This is my second experiment with vibe coding macOS apps - the first was <a href="https://simonwillison.net/2026/Feb/25/present/">this presentation app a few weeks ago&...

Workflows are now visualized via step diagrams in the dashboard. Here’s how we translate your TypeScript code into a visual representation of the workflow.

JavaScript for Everyone: DestructuringMat explains the ever-useful, but sometimes hard to understand destructuring assignment in JavaScript.Mise en ModeA very good methodology for design systems now has a book!The old internet is still hereA great reminder for us all. Don't get nostalgic and get surfing instead.2026 design systems reportAnother year and another design systems report, this time delivered with a lovely, texture-rich UI.Paper birdsSome stunning, physical art for you to enjoy.P.S. t

Malicious versions of the Telnyx Python SDK on PyPI delivered credential-stealing malware via a multi-stage supply chain attack.

The next iteration of view transitions is here!

Discover some of the interesting features that have landed in stable and beta web browsers during March 2026.

こんにちは！PR TIMES の河瀨翔吾（@shogogg）です。エンジニアリングマネージャーとして、プレスリリース配信サービス PR TIMES の開発や開発チームのマネジメント、業務改善、採用などを行っています。好き […]

こんにちは！PR TIMES の河瀨翔吾（@shogogg）です。エンジニアリングマネージャーとして、プレスリリース配信サービス PR TIMES の開発や開発チームのマネジメント、業務改善、採用などを行っています。好き […]

<p><strong><a href="https://www.reco.ai/blog/we-rewrote-jsonata-with-ai">We Rewrote JSONata with AI in a Day, Saved $500K/Year</a></strong></p>Bit of a hyperbolic framing but this looks like another case study of <strong>vibe porting</strong>, this time spinning up a new custom Go implementation of the <a href="https://jsonata.org">JSONata</a> JSON expression language - similar in focus to jq, and heavily associated with the <a href...

Every year, security and tech leaders come to the RSA conference in San Francisco to take the industry’s pulse, and every RSAC tends to be dominated by a single, overarching theme. Last year, the theme was: “AI agents are coming, and governance isn’t ready.” And sure enough, the theme of RSAC 2026 was: “AI agents are here, and governance needs to catch up.”Throughout the conference, security practitioners, vendors, and analysts were all asking the same questions:How can we enable a culture of ag

Understand why scopes and claims serve different roles in OAuth 2.0 and OpenID Connect, and how to design around each.

A developer's guide to registering redirect URIs per environment, debugging "invalid redirect URI" errors, and knowing when to use impersonation instead.

Authentication doesn't end at login. For modern SaaS applications, the real security perimeter is the token, and attackers know it.

Preconnect hints can speed up page loads, but what happens when you use too many? We tested the impact of excessive preconnects on page speed.

<p><strong><a href="https://futuresearch.ai/blog/litellm-attack-transcript/">My minute-by-minute response to the LiteLLM malware attack</a></strong></p>Callum McMahon reported the <a href="https://simonwillison.net/2026/Mar/24/malicious-litellm/">LiteLLM malware attack</a> to PyPI. Here he shares the Claude transcripts he used to help him confirm the vulnerability and decide what to do about it. Claude even suggested the PyPI security contact addr...

Safari Technology Preview Release 240 is now available for download for macOS Tahoe and macOS Sequoia.

NGINX 1.29.6 and 1.29.7 introduce significant updates and mark the first in a planned series to add capabilities to NGINX Open Source formerly limited to NGINX Plus. With updates to core runtime behavior and network support, these releases ensure that NGINX can continue to meet the needs of modern applications and AI workloads. Highlights of these releases include: Together, these changes expand what operators can do with NGINX Open Source while simplifying configurations for optimizing performa

A look at GitHub Actions’ 2026 roadmap, outlining how secure defaults, policy controls, and CI/CD observability harden the software supply chain end to end.The post What’s coming to our GitHub Actions 2026 security roadmap appeared first on The GitHub Blog.

TeamPCP is partnering with ransomware group Vect to turn open source supply chain attacks on tools like Trivy and LiteLLM into large-scale ransomware operations.

<p><strong><a href="https://ngrok.com/blog/quantization">Quantization from the ground up</a></strong></p>Sam Rose continues <a href="https://simonwillison.net/tags/sam-rose/">his streak</a> of publishing spectacularly informative interactive essays, this time explaining how quantization of Large Language Models works (which he says might be "<a href="https://twitter.com/samwhoo/status/2036845101561835968">the best post I've ever made</a&g...

Reviewed advisories hit a four-year low, malware advisories surged, and CNA publishing grew—here’s what changed and what it means for your triage and response. The post A year of open source vulnerability trends: CVEs, advisories, and malware appeared first on The GitHub Blog.

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-llm/releases/tag/0.1a2">datasette-llm 0.1a2</a></p> <blockquote><ul><li><code>actor</code> is now available to the <code>llm_prompt_context</code> plugin hook. <a href="https://github.com/datasette/datasette-llm/pull/2">#2</a></li></ul></blockquote> <p>Tags: <a href="https://simonwillison.net/tags/llm"&g...

A look at an example task an interviewer might give you and all the details of how you could approach and and what they are watching for.

Looking at research and experiments that are designed to automatically generate user interfaces based on user preferences.Generative UI Notes originally published on CSS-Tricks, which is part of the DigitalOcean family. You should get the newsletter.

When we investigated why our Atlantis instance took 30 minutes to restart, we discovered a bottleneck in how Kubernetes handles volume permissions. By adjusting the fsGroupChangePolicy, we reduced restart times to 30 seconds.

Accessibility had never really played a significant role since I started working as a front-end developer in 2019. It didn’t have a significant role in my boot camp, or in YouTube tutorials I watched, and certainly not in my job.At some point I got very invested in accessibility, because it was the missing link for me in my profession. Suddenly, the things I built not only looked good, but they also worked as expected when using a keyboard and a screen reader. Slowly, practicing web development

Success in modern UX isn’t about having the most content. It’s about having the most findable content. Yet even with more data and better tools than ever, internal search often fails, leaving users to rely on global search engines to find a single page on a local site. Why does the “Big Box” still win, and how can we bring users back?