We're building AI Gateway into a unified inference layer for AI, letting developers call models from 14+ providers. New features include Workers AI binding integration and an expanded catalog with multimodal models.

We built a custom technology stack to run fast large language models on Cloudflare’s infrastructure. This post explores the engineering trade-offs and technical optimizations required to make high-performance AI inference accessible.

Behind every technology, there should be a guide for its use. While JavaScript modules make it easier to write “big” programs, if there are no principles or systems for using them, things could easily become difficult to maintain.A Well-Designed JavaScript Module System is Your First Architecture Decision originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

StepSecurity adds cooldown and group support for Dependabot configuration, giving teams control over update frequency and PR batching across npm, pip, Docker, and GitHub Actions. Reduce alert fatigue. Merge more patches. Strengthen your supply chain.

AI Search is the search primitive for your agents. Create instances dynamically, upload files, and search across instances with hybrid retrieval and relevance boosting. Just create a search instance, upload, and search.

Learn how to deploy PlanetScale Postgres and MySQL databases via Cloudflare and connect Cloudflare Workers.

Let's work out what I need to account for here by referring back to our existing page audit.I need to account for the following:Post listings, limited by a defined items per pagePagination to render each page of post listingsThe actual blog items themselvesWith those, I'd consider this base implementation done, which is where I want to be in this iteration.A pagination shell component---const { next, previous } = Astro.props;---{ (previous || next) && ( <div class="wrapper"> <na...

apm は Microsoft が開発した AI エージェント向けパッケージマネージャーです。npm や pip のように依存関係を解決しながら、エージェントのスキルや MCP をパッケージ化して管理・共有できます。この記事では apm の基本的な使い方を紹介します。

This release marks the start of the maintenance phase for the LTS Edition. Learn what this means for LTS customers and what to expect going forward.

Earlier this winter, JetBrains and Cloud9 launched Sky’s the Limit, a global hackathon created to bring together two communities that share the same DNA: developers and esports enthusiasts. The idea was straightforward – developers like solving complex problems, and esports is full of strategy, data, and performance questions. Put those together, and you get plenty […]

Backend Engineer · Open source · Terminal

Agents are becoming multi-channel. That means making them available wherever your users already are — including the inbox. Today, Cloudflare Email Service enters public beta with the infrastructure layer to make that easy: send, receive, and process email natively from your agents.

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/datasette-io-preview">datasette.io news preview</a></p> <p>The <a href="https://datasette.io/">datasette.io</a> website has a news section built from this <a href="https://github.com/simonw/datasette.io/blob/main/news.yaml">news.yaml</a> file in the underlying GitHub repository. The YAML format looks like this:</p><pre><code>- date: 2026-04-15 bo...

Lynx 3.7 is now officially released! This release brings official desktop platform support for macOS and Windows, introduces the new SVG element, introduces new agent skills for better observability, and updates ReactLynx with simpler External Bundle presets and shared runtime modules.

Is an OpenAPI spec enough to let AI agents interact with a REST API? Let's find out.

How a prototype pollution bug in one library and a missing header check in another nearly chained into AWS credential theft.

Master secure authentication in Go, from middleware design and JWTs to session management and enterprise SSO, with production-ready patterns and security best practices.

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-export-database/releases/tag/0.3a1">datasette-export-database 0.3a1</a></p> <p>This plugin was using the <code>ds_csrftoken</code> cookie as part of a custom signed URL, which needed upgrading now that Datasette 1.0a27 <a href="https://simonwillison.net/2026/Apr/14/replace-token-based-csrf/">no longer sets that cookie</a>.</p> <p>Tags: <a ...

<p><strong>Release:</strong> <a href="https://github.com/simonw/datasette/releases/tag/1.0a27">datasette 1.0a27</a></p> <p>Two major changes in this new Datasette alpha. I covered the first of those <a href="https://simonwillison.net/2026/Apr/14/replace-token-based-csrf/">in detail yesterday</a> - Datasette no longer uses Django-style CSRF form tokens, instead using modern browser headers <a href="https://words.filippo.io/csrf">as desc...

Caching is one of the fastest ways to reduce backend load and improve response latency in Kubernetes. With NGINX Ingress Controller (NIC), you can define caching behavior as a first-class Policy resource and attach it to a VirtualServer or VirtualServerRoute. That keeps caching configuration explicit, reusable, and versioned with the rest of your traffic policy. […]

This article covers a layout approach that better fits the modern web: fluid, intrinsic components that adapt by default, and treat conditional rules as local, intentional exceptions.

<blockquote cite="https://daringfireball.net/2026/04/piece_android_iphone_apps"><p>The real goldmine isn’t that Apple gets a cut of every App Store transaction. It’s that Apple’s platforms have the best apps, and users who are drawn to the best apps are thus drawn to the iPhone, Mac, and iPad. That edge is waning. Not because software on other platforms is getting better, but because third-party software on iPhone, Mac, and iPad is regressing to the mean, <em>to some extent&lt...

<p><strong><a href="https://blog.google/innovation-and-ai/models-and-research/gemini-models/gemini-3-1-flash-tts/">Gemini 3.1 Flash TTS</a></strong></p>Google released Gemini 3.1 Flash TTS today, a new text-to-speech model that can be directed using prompts.</p><p>It's presented via the standard Gemini API using <code>gemini-3.1-flash-tts-preview</code> as the model ID, but can only output audio files.</p><p>The <a href=...

Learn about the productivity tool one GitHub engineer built, and how AI supported the development process.The post Build a personal organization command center with GitHub Copilot CLI appeared first on The GitHub Blog.

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/gemini-flash-tts">Gemini 3.1 Flash TTS</a></p> <p>See <a href="https://simonwillison.net/2026/Apr/15/gemini-31-flash-tts/">my notes</a> on Google's new Gemini 3.1 Flash TTS text-to-speech model.</p> <p>Tags: <a href="https://simonwillison.net/tags/gemini">gemini</a>, <a href="https://simonwillison.net/tags/google">google</a></p>

<blockquote cite="https://aphyr.com/posts/419-the-future-of-everything-is-lies-i-guess-new-jobs"><p>I think we will see some people employed (though perhaps not explicitly) as <em>meat shields</em>: people who are accountable for ML systems under their supervision. The accountability may be purely internal, as when Meta hires human beings to review the decisions of automated moderation systems. It may be external, as when lawyers are penalized for submitting LLM lies to ...

Harness CEO Jyoti Bansal discusses AI-native software delivery, developer productivity, and where the industry is headed. Interview from HumanX 2026.

We’re sharing recent policy updates that developers should know about, updating our Transparency Center with the full year of 2025 data, and looking to what’s ahead.The post Developer policy update: Intermediary liability, copyright, and transparency appeared first on The GitHub Blog.

Announcing a preview of the next edition of the Agents SDK — from lightweight primitives to a batteries-included platform for AI agents that think, act, and persist.

Agent Lee is an in-dashboard agent that shifts Cloudflare’s interface from manual tab-switching to a single prompt. Using sandboxed TypeScript, it helps you troubleshoot and manage your stack as a grounded technical collaborator.

The Cloudflare Registrar API is now in beta. Developers and AI agents can search, check availability, and register domains at cost directly from their editor, their terminal, or their agent — without leaving their workflow.

Browser Rendering is now Browser Run, with Live View, Human in the Loop, CDP access, session recordings, and 4x higher concurrency limits for AI agents.

Cloudflare Workflows, a durable execution engine for multi-step applications, now supports higher concurrency and creation rate limits through a rearchitectured control plane, helping scale to meet the use cases for durable background agents.

An experimental voice pipeline for the Agents SDK enables real-time voice interactions over WebSockets. Developers can now build agents with continuous STT and TTS in just ~30 lines of server-side code.

デザインデータ（Figma）v2.13.0を公開しました。

Learn how Chrome Autofill is improving support for Japanese phonetic names (Furigana), making it easier for users to fill out web forms.

こんにちは。技術推進本部の @shia です。前回は kuro の活動事例を紹介しましたので、今回はその裏側を解説していきます。 なぜ自作したのか 前回の記事を読んで「既存の SaaS やマネージドなエージェントサービスを使えばいいのでは？」と思った方もいるかもしれません。一応、いくつかの理由から自作という判断に至っています。 まず、開発着手した 2 月時点では利用できるサービスの選択肢がそもそも多くありませんでした。使えると考えたのは Devin くらいで、実際使ってもいましたが、 GitHub 上のやり取りに制約があったり、開発環境の都合などで当時はやや物足りなさを覚えてました。 次に汎用…

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-ports/releases/tag/0.3">datasette-ports 0.3</a></p> <p>A small update for my tool for helping me figure out what all of the Datasette instances on my laptop are up to.</p><blockquote><ul><li>Show working directory derived from each PID</li><li>Show the full path to each database file</li></ul></blockquote><p>Output now...

こんにちは、LINEヤフー株式会社の迫川です。社内システムのデータ基盤開発を担当しながら、Orchestration Development Workshopのギルドメンバーとしても活動しています。O...

<p><strong><a href="https://ziglang.org/download/0.16.0/release-notes.html#Juicy-Main">Zig 0.16.0 release notes: "Juicy Main"</a></strong></p>Zig has <em>really good</em> release notes - comprehensive, detailed, and with relevant usage examples for each of the new features.</p><p>Of particular note in the newly released Zig 0.16.0 is what they are calling "Juicy Main" - a dependency injection feature for your program'...

こんにちは、技術広報のえんじぇるです。 2024年、2025年に引き続き STORES Tech Conf を今年も開催することになりました！ 開催日時：2026年8月31日（月）13:00開始 開催場所：浅草橋ヒューリックホール&カンファレンス 参加費用：無料 参加申込みフォーム：https://forms.gle/ijyynGHpKmWuXo2z9 今年のテーマは“World 2”です。テーマについては、後述します。 前回の開催について STORES Tech Conf 2025 では、“What Would You Do?” をテーマに開催しました。オープン枠（学生・女性向け）を設けて、…

The conversation about AI and coding work is full of highs. These models are incredible! I’m so productive. I’m not blocked by a lack of knowledge in certain areas like I used to get. I’m making projects I never would have gotten around to making. I’m having fun with code for the first time in […]

Most AI SEO advice is unproven. We tested what ChatGPT, Claude, and Perplexity actually read on our own site. Six LLM visibility techniques that worked, eight that didn't, and the metrics to tell the difference.

WorkOS CEO Michael Grinich interviews Homer Wang of TinyFish at HumanX 2026 about building AI agents and the evolving startup landscape.

WorkOS CEO Michael Grinich interviews Certn's Andrew McLeod on AI-powered background checks, trust infrastructure, and the future of identity verification.

WorkOS CEO Michael Grinich interviews Mazy Dar, founder of Here, on building AI-native video understanding at HumanX 2026.

Michael Grinich interviews Abhi Aiyer from Mastra about building open-source AI agent frameworks, developer tooling, and the evolving agentic ecosystem.

Michael Grinich interviews Ameya Bhatawdekar from Braintrust on AI evaluation, prompt engineering, and building reliable AI products at HumanX 2026.

Ojus Save from Render explains how the platform is evolving cloud infrastructure for AI workloads, GPU access, and developer experience at HumanX 2026.

Watch Saif Gunja's interview with Paul Dhaliwal of Code Conductor at HumanX 2026 on AI-assisted development and production-ready code orchestration.

WorkOS CEO Michael Grinich interviews Temporal co-founder Maxim Fateev on durable execution, AI agent reliability, and why workflows need to survive failures.

Traversal CEO Anish Agarwal explains how autonomous agents troubleshoot production incidents at scale: from world models to L5 autonomy. Interview from HumanX 2026.

AppsFlyer's Eran Dunsky shares how the company integrated AI into their marketing platform, from internal tooling to customer-facing features.

WorkOS CEO Michael Grinich interviews Webflow CEO Linda Tong on AI-powered web development, enterprise adoption, and the future of no-code at HumanX 2026.

Rob Ferguson of Fireworks AI explains why open models are catching up to frontier closed-source AI, and why data (not architecture) is the real moat.

Apollo GraphQL CEO Matt DeBergalis on why GraphQL's semantic layer matters for AI agents, how MCP and GraphQL complement each other, and what enterprise AI adoption really looks like.

Omni CEO Colin Zima talks AI agents in analytics, the three-layer future of software, and why 80% of his team's code is AI-generated.

Dialpad CTO Brian Peterson on mandating AI in engineering, the Jevons Paradox in practice, and why customer service will transform within a year.

Honeycomb CEO Christine Yen on why observability matters more than ever as AI agents reshape how software gets built, debugged, and understood.

Automation Anywhere CPO Peter White on why enterprises want solutions over technology pitches, where AI agents actually deliver, and the reality behind the hype.

Daytona CEO Ivan Burazin explains why every AI agent needs its own computer, how he built an AI with its own identity, and why SaaS is shifting from seats to consumption.

Assembled CEO John Wang explains why AI is growing support teams, not shrinking them, and why orchestration is the real differentiator in customer support.

Cosmo Wolfe explains why AI companies are rethinking pricing, why per-seat models are dying, and what Stripe's Machine Payment Protocol means for agents as buyers.

Augment Code CEO Matt McClernan discusses the rapid shift from AI code completions to agent orchestration at HumanX 2026, interviewed by WorkOS CEO Michael Grinich.

Noam Schwartz of Alice explains why prompt injection is the new SQL injection and what enterprises deploying AI agents need to know about trust and safety.

Polar Signals Cloud now resolves minified JavaScript and TypeScript profiles back to original source code using source maps.

<p><strong><a href="https://github.com/simonw/datasette/pull/2689">datasette PR #2689: Replace token-based CSRF with Sec-Fetch-Site header protection</a></strong></p>Datasette has long protected against CSRF attacks using CSRF tokens, implemented using my <a href="https://github.com/simonw/asgi-csrf">asgi-csrf</a> Python library. These are something of a pain to work with - you need to scatter forms in templates with <code><input type...

Figma MCPやCursor、Claude CodeといったAIツールの浸透によって、Ameba ...

<p><strong><a href="https://openai.com/index/scaling-trusted-access-for-cyber-defense/">Trusted access for the next era of cyber defense</a></strong></p>OpenAI's answer to <a href="https://simonwillison.net/2026/Apr/7/project-glasswing/">Claude Mythos</a> appears to be a new model called GPT-5.4-Cyber:</p><blockquote><p>In preparation for increasingly more capable models from OpenAI over the next few months, we are fine-tuning ou...

<p><strong><a href="https://www.dbreunig.com/2026/04/14/cybersecurity-is-proof-of-work-now.html">Cybersecurity Looks Like Proof of Work Now</a></strong></p>The UK's AI Safety Institute recently published <a href="https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos-previews-cyber-capabilities">Our evaluation of Claude Mythos Preview’s cyber capabilities</a>, their own independent analysis of <a href="https://simonwillison.net/2026/Apr/7...

Socket CEO Feross Aboukhadijeh joins 10 Minutes or Less, a podcast by Ali Rohde, to discuss the recent surge in open source supply chain attacks.

Learn to find and exploit real-world agentic AI vulnerabilities through five progressive challenges in this free, open source game that over 10,000 developers have already used to sharpen their security skills.The post Hack the AI agent: Build agentic AI security skills with the GitHub Secure Code Game appeared first on The GitHub Blog.

The new Code Security Risk Assessment gives you a one-click view of vulnerabilities across your organization, at no cost.The post How exposed is your code? Find out in minutes—for free appeared first on The GitHub Blog.

記事は ics.media へアクセスしてご覧ください。

One of the best-known examples of CSS state management is the checkbox hack. What if we want a component to be in one of three, four, or seven modes? That is where the Radio State Machine comes in.The Radio State Machine originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

Cloudflare is introducing scannable API tokens, enhanced OAuth visibility, and GA for resource-scoped permissions. These tools help developers implement a true least-privilege architecture while protecting against credential leakage.

We share Cloudflare's internal strategy for governing MCP using Access, AI Gateway, and MCP server portals. We also launch Code Mode to slash token costs and recommend new rules for detecting Shadow MCP in Cloudflare Gateway.

Managed OAuth for Cloudflare Access helps AI agents securely navigate internal applications. By adopting RFC 9728, agents can authenticate on behalf of users without using insecure service accounts.

Cloudflare Mesh provides secure, private network access for users, nodes, and autonomous AI agents. By integrating with Workers VPC, developers can now grant agents scoped access to private databases and APIs without manual tunnels.

Over the next several weeks, we'll release lessons on AI evals.

We're transferring the Stripe Sync Engine from supabase/stripe-sync-engine to stripe/sync-engine

Read about various happenings with Baseline during March 2026.

こんにちは！26卒でサイボウズに入社した、かりんとうです。会社ではコサキンと名乗ることにしたので、ニックネームをどう切り替えるか悩みです。早速ですが、最近ルビについて調べる機会があったので、情報を整理するためにもこの記事で紹介します。 はじめにルビ（ruby）は、文字にふりがなや補足情報を付けるための仕組みです。日本では、漫画・小説・教科書・新聞など、さまざまな場面でルビが使われています。ルビは、難読漢字や固有名詞の読みを示し、読者の理解を助けるために用いられることが多いです。縦書きと併用されることも少なくありません。他の国でも使われており、例えば中国では発音を示す拼音（ピ...

こんにちは。技術推進本部の shia です。最近はエーアイというやつと向き合っておりまして、その話の一つとして2月入社した新入 AI 社員の話をします。 AI エージェント とは、LLM（大規模言語モデル）に自律的に行動させる仕組みのことで、指示を受けたら自分でツールを使ったり判断したりしながらタスクをこなしてくれるものです。 この話は二つの記事で構成される予定で、今回は活動事例、次回はその裏側を紹介していきます。 社員紹介 kuro は 2026年2月入社しており、Slack と GitHub で活動しながら、我々の事業推進を多岐にわたる方法で手伝ってくれています。 わかりやすいので Git…

こんにちは、LINEヤフー株式会社の福野です。社内のさまざまなアプリの開発を横断的に支援する仕事をしています。本記事では当社のAndroid・iOSアプリを衛星通信に対応させるための取り組みについてご...

Introducing rails_vite—a new Vite integration for Rails that works with Propshaft, not against it. Drop it into an existing jsbundling app for instant CSS HMR, or use the full gem for manifest-based asset resolution.

SEASON TWO HAS LANDED!Bob Lord has spent decades building and leading security programs, from early internet crypto work at Netscape to roles at Twitter, Yahoo, the Democratic National Committee, and CISA. In this episode of Chasing Entropy, he and host Dave Lewis get practical about why the security advice most people hear doesn’t match how real compromises happen.Across secure-by-design, AI systems, and software supply chains, security breaks down when organizations treat outcomes like someone

The affected stores span 27 countries, with France, Italy, Poland, and the Czech Republic accounting for the majority. Among them: a multi-billion dollar fashion retailer, two French university boo...

Three mechanisms guard three different checkpoints in OAuth and OpenID Connect. Here is why none of them is optional.

Why teams outgrow Amazon Cognito and which authentication platforms handle enterprise SSO, multi-tenancy, and directory sync without the glue code.

はじめに カミナシでエンジニアをしている Shimmy です。今は新規プロダクト開発をしています。 0→1の開発設計では「コードベースの持続可能性」と「短期的なデリバリー速度」の両方が重要です。そのバランスを取りながら、AIの力を最大限活かせるアーキテクチャを考えてきました。 その過程で分かった設計原則というのは、AIを活用する前から変わらないものでした。 この記事では、AIの力を引き出す設計と、その設計を決定論的に守らせる仕組みついて話します。 補足: TanStack Start（フルスタックReactフレームワーク）を利用しており、フロントエンドとバックエンドが同一コードベースにあります…

<p><a href="https://twitter.com/steve_yegge/status/2043747998740689171">Steve Yegge</a>:</p><blockquote><p>I was chatting with my buddy at Google, who's been a tech director there for about 20 years, about their AI adoption. Craziest convo I've had all year.</p><p>The TL;DR is that Google engineering appears to have the same AI adoption footprint as John Deere, the tractor company. Most of the industry has the same internal adoption curve: 20% age...

Campaign of 108 extensions harvests identities, steals sessions, and adds backdoors to browsers, all tied to the same C2 infrastructure.

Measuring performance without shooting youself in the foot (as badly)

It doesn't mean you can't get AI to help with accessible code, you've just got to know what you're doing.

<p><strong>Research:</strong> <a href="https://github.com/simonw/research/tree/main/servo-crate-exploration#readme">Exploring the new `servo` crate</a></p> <p>In <a href="https://servo.org/blog/2026/04/13/servo-0.1.0-release/">Servo is now available on crates.io</a> the Servo team announced the initial release of the <a href="https://crates.io/crates/servo">servo</a> crate, which packages their browser engine as an embeddable lib...

Learn how to create a free website for any repository on GitHub Pages.The post GitHub for Beginners: Getting started with GitHub Pages appeared first on The GitHub Blog.

We’re introducing cf, a new unified CLI designed for consistency across the Cloudflare platform, alongside Local Explorer for debugging local data. These tools simplify how developers and AI agents interact with our nearly 3,000 API operations.

Craving for a view transition? Sunkanmi has lots of common transitions you can drop into your website right now!7 View Transitions Recipes to Try originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

We’re introducing Durable Object Facets, allowing Dynamic Workers to instantiate Durable Objects with their own isolated SQLite databases. This enables developers to build platforms that run persistent, stateful code generated on-the-fly.

Cloudflare Sandboxes give AI agents a persistent, isolated environment: a real computer with a shell, a filesystem, and background processes that starts on demand and picks up exactly where it left off.

Outbound Workers for Sandboxes provide a programmable, zero-trust egress proxy for AI agents. This allows developers to inject credentials and enforce dynamic security policies without exposing sensitive tokens to untrusted code.

Have you ever heard of Disney’s 12 Basic Principles of Animation? In this tutorial, we’ll explore how we can use the very first principle to create SVG micro-interactions that feel way more natural and believable. It’s one of those small things that has a big impact.

こんにちは、STORES のえんじぇるです。 今年も STORES は RubyKaigi 2026 にNursery Sponsor および Scholarship Sponsor として協賛します！ Nursery Sponsor は2024年から3年連続で、今年も小さなRubyistのみなさんに会えるのが楽しみです！ Scholarship Sponsor として記載されているのは今年が初ですが、昨年度も学生支援を実施していました。 先日下見に行ったので、写真をまじえながら、STORES のRubyKaigi 2026への関わり方を紹介します。 函館空港でお出迎えしてくれたクマ🐻 登壇 …

本記事では、ある日起きたAurora MySQLの障害対応事例を紹介します。

<blockquote cite="https://bcantrill.dtrace.org/2026/04/12/the-peril-of-laziness-lost/"><p>The problem is that LLMs inherently <strong>lack the virtue of laziness</strong>. Work costs nothing to an LLM. LLMs do not feel a need to optimize for their own (or anyone's) future time, and will happily dump more and more onto a layercake of garbage. Left unchecked, LLMs will make systems larger, not better — appealing to perverse vanity metrics, perhaps, but at the cos...

はじめにこんにちは。SRE（Site Reliability Engineer）として働いているDahee Eoです。私たちのチームは、Media Platform SREをはじめ、グローバルトラフィ...

Lynx is moving to a faster release cadence in 2026, investing in AI-ready docs and tooling, improving desktop readiness, strengthening production infrastructure, and deepening collaboration with the open-source community.

In this release, we focused entirely on performance improvements, with the introduction of a daemon,

Today the Servo team has released v0.1.0 of the servo crate.This is our first crates.io release of the servo crate that allows Servo to be used as a library.We currently do not have any plans of publishing our demo browser servoshell to crates.io.In the 5 releases since our initial GitHub release in October 2025, our release process has matured, with the main “bottleneck” now being the human-written monthly blog post.Since we’re quite excited about this release, we decided to not wait for the mo

Let's take a look at why the common, horizontal code structure is not ideal, where it breaks down, and what we can do about it.

Learn how to monitor Shopify storefronts with Playwright and Checkly, including bot protection, consent popups, and checkout monitoring.

The Evaluability Gap: Designing for Scalable Human Review of AI OutputIn the age of AI, output velocity is no longer a limiting factor. AI can generate massive amounts of output in a fraction of the time it would take for a human. Code, designs, documents, analysis, and nearly anything else you can think of.However, as LLMs are integrated in more and more processes, we are left with a new problem: evaluation.In this post we'll look at the next great usability and reliability problem facing us al

<p>Thanks to a <a href="https://twitter.com/RahimNathwani/status/2039961945613209852">tip from Rahim Nathwani</a>, here's a <code>uv run</code> recipe for transcribing an audio file on macOS using the 10.28 GB <a href="https://huggingface.co/google/gemma-4-E2B">Gemma 4 E2B model</a> with MLX and <a href="https://github.com/Blaizzy/mlx-vlm">mlx-vlm</a>:</p><pre><code>uv run --python 3.13 --with mlx_vlm --with torchvision --w...

こんにちは、Service Reliability Group(SRG)の鬼海 雄太(@fat47) ...

Cloudflare's mission has always been to help build a better Internet. Sometimes that means building for the Internet as it exists. Sometimes it means building for the Internet as it's about to become. This week, we're kicking off Agents Week, dedicated to what comes next.

AI coding agents install packages, create pull requests, push commits, and run autonomously in CI/CD pipelines. Here's how to secure every stage of that workflow

Modern supply chain attacks target developer machines and AI coding agents. Learn how StepSecurity Dev Machine Guard stops credential theft early

Explore key CI/CD security trends for 2024, including shifts to modern platforms, third-party component risks, rising security incidents, and the growing need for secure pipelines. Learn how to protect your organization from evolving threats in the CI/CD landscape.

<p><strong><a href="https://sqlite.org/releaselog/3_53_0.html">SQLite 3.53.0</a></strong></p>SQLite 3.52.0 was withdrawn so this is a pretty big release with a whole lot of accumulated user-facing and internal improvements. Some that stood out to me:</p><ul><li><code>ALTER TABLE</code> can now add and remove <code>NOT NULL</code> and <code>CHECK</code> constraints - I've previously used my own <a href="...

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/sqlite-qrf">SQLite Query Result Formatter Demo</a></p> <p>See my notes <a href="https://simonwillison.net/2026/Apr/11/sqlite/">on SQLite 3.53.0</a>. This playground provides a UI for trying out the various rendering options for SQL result tables from the new Query Result Formatter library, compiled to WebAssembly.</p> <p>Tags: <a href="https://simonwillison.net...

Claude に新たに追加された advisor tool を使用すると、通常のタスクは軽量モデルに任せつつ、必要に応じて高性能モデルに相談することで、性能とコストのバランスを最適化できます。この記事では Claude Code 内で advisor tool を活用する方法について紹介します。

Backend Engineer · Open source · Terminal

OpenAI rotated macOS signing certificates after a malicious Axios package reached its CI pipeline in a broader software supply chain attack.

<p>Lenny <a href="https://twitter.com/lennysan/status/2042615413494939943">posted</a> another snippet from <a href="https://simonwillison.net/2026/Apr/2/lennys-podcast/">our 1 hour 40 minute podcast recording</a> and it's about kākāpō parrots!</p><p><video src="https://static.simonwillison.net/static/2026/kakapo-lenny.mp4" poster="https://static.simonwillison.net/static/2026/kakapo-lenny.jpg" controls preload="none" playsinline style="display:block; ...

GitHub for Beginners: Getting started with the GitHub Copilot CLI, a step-by-step tutorial.The post GitHub Copilot CLI for Beginners: Getting started with GitHub Copilot CLI appeared first on The GitHub Blog.

<p>I think it's non-obvious to many people that the OpenAI voice mode runs on a much older, much weaker model - it feels like the AI that you can talk to should be the smartest AI but it really isn't.</p><p>If you ask ChatGPT voice mode for its knowledge cutoff date it tells you April 2024 - it's a GPT-4o era model.</p><p>This thought inspired by <a href="https://twitter.com/karpathy/status/2042334451611693415">this Andrej Karpathy tweet</a> about the g...

It's fine. I'm fine. I just like learning ok.

Your RTE choice shapes how much compliance work your team owns. Learn what to look for when building for healthcare, finance, or government.

Practical guidelines for driving UX impact in organizations with legacy systems and broken processes. Brought to you by Measuring UX Impact, **friendly video course on UX** and design patterns by Vitaly.

Using CSS animations as state machinesExtremely clever stuff from Patrick here!Endgame for the open webAnil articulates the reality of the open web really well and gives us pragmatic advice of what we can tangibly do to protect if from the vultures in the tech industry.Checking if a movie has a post or mid credit sceneA very cool tool (and write up) that's surprisingly simple.EZ-TreeNeed to procedurally generate trees? Don't slop it and use this tool instead.Wind Waker JSOne for the Zelda fans o

A quick but important reminder that font-family declarations don’t inherit fallback stacks the way many developers assume.

HTML in Canvas API は WICG で提案されている API で、Canvas 内に直接 HTML を描画できるようにするものです。現在の `` 要素にはリッチテキストや HTML コンテンツを描画する標準的な方法が存在しないという課題があります。この記事では HTML in Canvas の使用方法やユースケースについて説明します。

Neovim 0.12 ships a native UI2 layer that covers a lot of things what noice.nvim provided. Here's what I replaced, what I kept, and what changed.

Open source is under attack because of how much value it creates. It has been the foundation of every major software innovation for the last three decades. This is not the time to walk away from it.

要約 3回目に権限をリクエストしたときにダイアログが出ないのは仕様です。権限ダイアログを出すのは諦め ...

We unveil the gemfile toolbox of the Martian Rails engineer; a universe of Evil Martian gems that encapsulate our philosophy and soul.

In short: GitHub’s downtime is bad, but uptime numbers can be misleading. It’s not as bad as it looks; more like a D than an F.“Zero nines uptime”?99.99% uptime, or “four nines”, is a common industry standard. Four nines of uptime is equivalent to 1.008 minutes of downtime per week.GitHub is not meeting that, and it’s frustrating. Even though they’re owned by Microsoft’s, one of the richest companies on earth, they aren’t clearing this bar.Here are some things people are saying:“GitHub appears t

The vendor is currently running a ClickFix clipboard hijacker on its own homepage. The vendor sells network exposure management and attack-path analysis to Fortune 500 enterprises, the US Departmen...

Learn how to use lazy loading without hurting web performance. This article explains when lazy loading improves performance, when it backfires, and how it impacts Core Web Vitals like LCP, CLS, and INP — with practical patterns and real-world pitfalls.

Hi, I’m a backend engineer on the Bucketeer ...

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/github-repo-size">GitHub Repo Size</a></p> <p>GitHub doesn't tell you the repo size in the UI, but it's available in the CORS-friendly <a href="https://api.github.com/repos/simonw/datasette">API</a>. Paste a repo into this tool to see the size, <a href="https://tools.simonwillison.net/github-repo-size?repo=simonw%2Fdatasette">for example for simonw/datasette</a> (...

A registry-only supply chain attack on @velora-dex/sdk delivers an architecture-aware macOS backdoor that fires the moment your code imports the package. No install hooks, no repo commits, no visible output.

StepSecurity's AI Package Analyst and Harden-Runner detected the compromise of axios, the largest npm supply chain attack on a single package by download count, before any public disclosure existed. What followed was a race against a state-sponsored threat actor who actively deleted GitHub issues to suppress the warning, a decision to host a community call at midnight that drew 200 attendees, and coverage from Bloomberg to Andrej Karpathy

Hijacked maintainer account used to publish poisoned axios releases including 1.14.1 and 0.30.4. The attacker injected a hidden dependency that drops a cross platform RAT. We are actively investigating and will update this post with a full technical analysis.

TeamPCP weaponized 76 Trivy version tags overnight. The KICS attack followed the same playbook days later. One security control is not enough. Here is how the StepSecurity platform's ten independent security layers work together to prevent credential exfiltration, detect compromised actions at runtime, and respond to incidents across your entire organization before attackers can succeed.

Your developer machine is running AI agents, MCP servers, IDE extensions, and hundreds of packages. Do you know which ones? Now there's a free, open-source way to find out.

Datadog's State of DevSecOps 2026 report confirms what StepSecurity has been warning about for years: CI/CD pipelines and GitHub Actions are prime targets for supply chain attacks. Learn how StepSecurity's platform directly mitigates every major risk identified in the report, from unpinned actions to day-of-release dependencies.

A week-long automated attack campaign targeted CI/CD pipelines across major open source repositories, achieving remote code execution in at least 4 out of 5 targets. The attacker, an autonomous bot called hackerbot-claw, used 5 different exploitation techniques and successfully exfiltrated a GitHub token with write permissions from one of the most popular repositories on GitHub. This post breaks down each attack, shows the evidence, and explains what you can do to protect your workflows.

How StepSecurity delivers real-world protection across all critical pillars identified in Wiz's SDLC Infrastructure Threat Framework (SITF)