A malicious version of elementary-data (0.23.3) was published to PyPI and is, at the time of writing, still listed as the latest release. The same release run also pushed a multi-arch container image to GitHub Container Registry at ghcr.io/elementary-data/elementary, tagged both 0.23.3 and latest.

<p>@scottjla <a href="https://twitter.com/scottjla/status/2047535371664457863">on Twitter</a> in reply to my <a href="https://simonwillison.net/tags/pelican-riding-a-bicycle/">pelican riding a bicycle</a> benchmark:</p><blockquote><p>I feel like we need to stack these tests now</p><p><img alt="AI generated image. A pelican is riding a bicycle along a dirt track, chased by a police car. The pelican looks panicked, likely because ther...

<blockquote cite="https://twitter.com/romainhuet/status/2047955381578838357"><p>Since GPT-5.4, we’ve unified Codex and the main model into a single system, so there’s no separate coding line anymore.</p><p>GPT-5.5 takes this further, with strong gains in agentic coding, computer use, and any task on a computer.</p></blockquote><p class="cite">— <a href="https://twitter.com/romainhuet/status/2047955381578838357">Romain Huet</a>, con...

<p><strong><a href="https://developers.openai.com/api/docs/guides/prompt-guidance?model=gpt-5.5">GPT-5.5 prompting guide</a></strong></p>Now that GPT-5.5 is <a href="https://developers.openai.com/api/docs/models/gpt-5.5">available in the API</a>, OpenAI have released a wealth of useful tips on how best to prompt the new model.</p><p>Here's a neat trick they recommend for applications that might spend considerable time thinking before r...

Socket is tracking cloned Open VSX extensions tied to GlassWorm, with several updated from benign-looking sleepers into malware delivery vehicles.

<p><strong>Release:</strong> <a href="https://github.com/simonw/llm/releases/tag/0.31">llm 0.31</a></p> <blockquote><ul><li>New GPT-5.5 OpenAI model: <code>llm -m gpt-5.5</code>. <a href="https://github.com/simonw/llm/issues/1418">#1418</a></li><li>New option to set the <a href="https://developers.openai.com/cookbook/examples/gpt-5/gpt-5_new_params_and_tools#1-verbosity-parameter">text verbosity leve...

AI に UI を生成させる Generative UI の手法が注目されています。しかし、AI の出力が予測不可能であるため、意図しない UI が生成されてしまうリスクもあります。json-render はあらかじめ定義したコンポーネントやアクションのカタログに基づいて AI に JSON を生成させることで、AI が誤った構造の UI を生成するリスクを減らし、アプリケーションの一部として自然に統合された UI を提供するフレームワークです。

<p><strong><a href="https://www.theverge.com/podcast/917029/software-brain-ai-backlash-databases-automation">The people do not yearn for automation</a></strong></p>This written and video essay by Nilay Patel explores why AI is unpopular with the general public even as usage numbers for ChatGPT continue to skyrocket.</p><p>It’s a superb piece of commentary, and something I expect I’ll be thinking about for a long time to come.</p><p>Nil...

Hand-writing/maintaining a sizes attribute is just not going to happen. This is the way.

Fresh 2.3 ships true zero-JS pages, View Transitions, CSP nonce support, IP filtering, and Temporal API support in islands.

Reachability analysis for PHP is now available in experimental, helping teams identify which vulnerabilities are actually exploitable.

Delivering a dynamic hexagonal world map in just 10kbThe is really impressive stuff from the speed experts at Calibre.The importance of people who careTech is full of people who care deeply about their area of chosen specialism, and we’re all struggling in a world where doing lots of stuff really fast has become the most important thing.Keep caring and wait it out.I don't want a screenshot of your Claude conversationAbove everything else, it's disrespectful behaviour. We're glad Dave has written

@bitwarden/[email protected] — the official command-line interface for the Bitwarden password manager — was found compromised on npm. A malicious preinstall hook silently bootstraps the Bun JavaScript runtime and launches a 9.7 MB obfuscated credential stealer that targets developer secrets, GitHub Actions environments, and — explicitly — AI coding tool configurations including ~/.claude.json and MCP server configs. All stolen data is encrypted with AES-256-GCM and exfiltrated to audit.checkmarx.cx,

はじめに STORES 決済の iOS アプリ開発を担当している栗山(@kotetu)です。 try! Swift Tokyo 2026 が終了して 1 週間以上が経過しましたが、 3 日間お疲れ様でした！フル参加した自分にとっては今回も非常に濃い時間を過ごすことができました。 本日は、「STORES メンバーから見た try! Swift Tokyo 2026」というテーマで try! Swift Tokyo 2026 を振り返りました。 try! Swift Tokyo について try! Swift Tokyo は、Swift を利用する開発者向けの国際的なカンファレンスです。 Swif…

Your manifest can now support multiple languages.

GPT-5.5 is now available on .Vercel AI GatewayThere are 2 variants: GPT-5.5 and GPT-5.5 Pro. Both models are tuned for long-running agentic work across coding, computer use, knowledge work, and scientific research, and are more token-efficient than the previous generation.GPT-5.5 is stronger at agentic coding and long-horizon work where the model needs to hold context across a large system and carry changes through the surrounding codebase. Paired with computer-use skills, it can operate real so

<p>Chinese AI lab DeepSeek's last model release was V3.2 (and V3.2 Speciale) <a href="https://simonwillison.net/2025/Dec/1/deepseek-v32/">last December</a>. They just dropped the first of their hotly anticipated V4 series in the shape of two preview models, <a href="https://huggingface.co/deepseek-ai/DeepSeek-V4-Pro">DeepSeek-V4-Pro</a> and <a href="https://huggingface.co/deepseek-ai/DeepSeek-V4-Flash">DeepSeek-V4-Flash</a>.</p><p>Both model...

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/milliseconds">Millisecond Converter</a></p> <p><a href="https://llm.datasette.io/">LLM</a> reports prompt durations in milliseconds and I got fed up of having to think about how to convert those to seconds and minutes.</p> <p>Tags: <a href="https://simonwillison.net/tags/tools">tools</a></p>

<p><a href="https://simonw.substack.com/p/gpt-55-chatgpt-images-20-qwen36-27b">This week's edition</a> of my email newsletter (aka <a href="https://simonwillison.net/2023/Apr/4/substack-observable/">content from this blog</a> delivered to your inbox) features 4 pelicans riding bicycles, 1 possum on an e-scooter, up to 5 raccoons with ham radios hiding in crowds, 5 blog posts, 8 links, 3 quotes and a new chapter of my Agentic Engineering Patterns guide.</p> &l...

<p><strong><a href="https://github.com/russellromney/honker">russellromney/honker</a></strong></p>"Postgres NOTIFY/LISTEN semantics" for SQLite, implemented as a Rust SQLite extension and various language bindings to help make use of it.</p><p>The design of this looks very solid. It lets you write Python code for queues that looks like this:</p><pre><span class="pl-k">import</span> <span class="pl-s1">honker</span&...

<p><strong><a href="https://www.anthropic.com/engineering/april-23-postmortem">An update on recent Claude Code quality reports</a></strong></p>It turns out the high volume of complaints that Claude Code was providing worse quality results over the past two months was grounded in real problems.</p><p>The models themselves were not to blame, but three separate issues in the Claude Code harness caused complex but material problems which directly affe...

<p><strong><a href="https://atproto.com/blog/serving-the-for-you-feed">Serving the For You feed</a></strong></p>One of Bluesky's most interesting features is that anyone can run their own <a href="bluesky custom feed">custom "feed" implementation</a> and make it available to other users - effectively enabling custom algorithms that can use any mechanism they like to recommend posts.</p><p>spacecowboy runs the <a href="https://bsky.a...

The workflow, best practices, and pitfalls we learned after months of daily Claude Code use at marmelab.

Agent identity is no longer experimental. NIST's February 2026 announcement made it enterprise-critical.

A practical comparison across features, pricing, reliability, and what enterprise buyers actually grade you on.

An analysis of 25 government websites to discover which website has the fastest Largest Contentful Paint (LCP) and upholds modern web standards.

Liquid Glass 対応 — タップルでの意思決定と実装 この記事で学べること ✅ デザイン・ ...

<p>LlamaIndex have a most excellent open source project called <a href="https://github.com/run-llama/liteparse">LiteParse</a>, which provides a Node.js CLI tool for extracting text from PDFs. I got a version of LiteParse working entirely in the browser, using most of the same libraries that LiteParse uses to run in Node.js.</p><h4 id="spatial-text-parsing">Spatial text parsing</h4><p>Refreshingly, LiteParse doesn't use AI models to do what it does: it's...

Export Socket alert data to your own cloud storage in JSON, CSV, or Parquet, with flexible snapshot or incremental delivery.

Safari Technology Preview Release 242 is now available for download for macOS Tahoe and macOS Sequoia.

<p><a href="https://openai.com/index/introducing-gpt-5-5/">GPT-5.5 is out</a>. It's available in OpenAI Codex and is rolling out to paid ChatGPT subscribers. I've had some preview access and found it to be a fast, effective and highly capable model. As is usually the case these days, it's hard to put into words what's good about it - I ask it to build things and it builds exactly what I ask for!</p><p>There's one notable omission from today's release - the API:<...

<p><strong>Release:</strong> <a href="https://github.com/simonw/llm-openai-via-codex/releases/tag/0.1a0">llm-openai-via-codex 0.1a0</a></p> <p>Hijacks your Codex CLI credentials to make API calls with LLM, as described <a href="https://simonwillison.net/2026/Apr/23/gpt-5-5/#llm-openai-via-codex">in my post about GPT-5.5</a>.</p> <p>Tags: <a href="https://simonwillison.net/tags/openai">openai</a>, <a href="https://s...

xinference

If you have any shared styles across multiple shadow DOMs (imagine 20 custom button components), a Constructable Stylesheets is just way more efficient.

<blockquote cite="https://maggieappleton.com/gathering-structures"><p>[...] if you ever needed another reason to <a href="https://www.swyx.io/learn-in-public">learn in public</a> by <a href="https://maggieappleton.com/garden-history">digital gardening</a> or podcasting or streaming or whathaveyou, add on that people will assume you’re more competent than you are. This will get you invites to very cool exclusive events filled with high-achieving, interesting p...

Putting CSS’s more recent scrolling animation capabilities to the test to recreate a complex animation of the Apple Vision Pro headset from Apple's website.Recreating Apple’s Vision Pro Animation in CSS originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

Bitwarden CLI 2026.4.0 was compromised in the Checkmarx supply chain campaign after attackers abused a GitHub Action in Bitwarden’s CI/CD pipeline.

I’ve been waiting for fourteen years to write this article. Fourteen years to tell you about one relatively new addition to the way images work on the web. For you, just a handful of characters will mean improvements to the fundamental ergonomics of working with images. For users, it will mean invisible, seamless, and potentially massive improvements to front-end performance, forever stitched into the fabric of the web. For me, it means the time has finally come to confess to my sinister machina

DeepSeek V4 is now available on .Vercel AI GatewayThere are 2 model variants: DeepSeek V4 Pro and DeepSeek V4 Flash. A 1M token context window is the default across both models. DeepSeek V4 Pro focuses on agentic coding, formal mathematical reasoning, and long-horizon workflows. It handles feature development, bug fixing, and refactoring across stacks, with tool use that works across harnesses like MCP workflows and agent frameworks. It also writes clear, well-structured long-form documents.Deep

はじめにこんにちは。LINEヤフーで社内プライベートクラウドの開発・運用を担当している中村です。2026年3月23日から26日にかけて、オランダのアムステルダムにて KubeCon + CloudNa...

Hardcoded timeouts with no config options are a silent tax on developers outside the wealthy west. A rant about npx skills, Docker Gordon, and the arrogance of assuming everyone has a fast connection.

For security teams, credential sprawl is like dust; you don't notice it until it has accumulated.Over time, access spreads across SaaS apps, developer tools, automation workflows, and now AI agents. People sign up for tools to get work done and connect accounts using OAuth because it is fast and familiar. Credentials get reused across scripts, stored in environment variables, or passed between systems that were never meant to share a common control layer.The problem only becomes visible when you

What it really takes to sell to the U.S. government, from the teams who have been through it.

A radio button is this: Paul Hebert took at fair look at how Shadcn turns that into 45 lines of code and three imports, which in turn uses Radix which is 215 lines of code and 7 more imports. But do you get better accessibility? No, it’s arguably worse. But do you get ease of […]

AI agents are reading your documentation. Here's what WorkOS did to serve them clean markdown instead of unparseable HTML.

<p><strong><a href="https://qwen.ai/blog?id=qwen3.6-27b">Qwen3.6-27B: Flagship-Level Coding in a 27B Dense Model</a></strong></p>Big claims from Qwen about their latest open weight model:</p><blockquote><p>Qwen3.6-27B delivers flagship-level agentic coding performance, surpassing the previous-generation open-source flagship Qwen3.5-397B-A17B (397B total / 17B active MoE) across all major coding benchmarks.</p></blockquote><p&g...

Docker and Socket have uncovered malicious Checkmarx KICS images and suspicious code extension releases in a broader supply chain compromise.

Rspack 2.0 is out! It introduces more modern defaults, API design, and build outputs while remaining compatible with the webpack ecosystem.

記事は ics.media へアクセスしてご覧ください。

Stay on top of alert changes with filtered subscriptions, batched summaries, and notification routing built for triage.

I use a Markdown Component for two main reasons: (1) It reduces the amount of markup I need to write, and (2) it converts typographic symbols. Here's how it works.Enhancing Astro With a Markdown Component originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

Panics in Rust Workers were historically fatal, poisoning the entire instance. By collaborating upstream on the wasm‑bindgen project, Rust Workers now support resilient critical error recovery, including panic unwinding using WebAssembly Exception Handling.

On April 21, 2026, malicious versions of pgserve were published to npm. pgserve is an embedded PostgreSQL server for development — zero config, auto-provisioned databases, designed to be dropped into any Node.js project. The compromised versions (1.1.11, 1.1.12, and 1.1.13) inject a 1,143-line credential-harvesting script that runs via postinstall on every npm install.

CKEditor AI brings AI-assisted writing directly into your rich text editor. Discover how it works, what pain points it solves, and why teams are adopting it.

In a rush to embrace AI, the industry is redefining what it means to be a UX designer, blurring the line between design and engineering. Carrie Webster explores what’s gained, what’s lost, and why designers need to remain the guardians of the user experience.

Chrome extension developers can now opt-in to use the Structured Clone algorithm for message serialization.

WGSL linear_indexing extension and WebGPU on Linux NVIDIA.

Supabase is certified to ISO/IEC 27001:2022. The certificate covers our information security management system across the entire platform.

<blockquote cite="https://blog.mozilla.org/en/privacy-security/ai-security-zero-day-vulnerabilities/"><p>As part of our continued collaboration with Anthropic, we had the opportunity to apply an early version of Claude Mythos Preview to Firefox. This week’s release of Firefox 150 includes fixes for <a href="https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/">271 vulnerabilities</a> identified during this initial evaluation. [...]</p><p>Our experie...

<p><strong><a href="https://github.blog/news-insights/company-news/changes-to-github-copilot-individual-plans/">Changes to GitHub Copilot Individual plans</a></strong></p>On the same day as Claude Code's temporary will-they-won't-they $100/month kerfuffle (for the moment, <a href="https://simonwillison.net/2026/Apr/22/claude-code-confusion/#they-reversed-it">they won't</a>), here's the latest on GitHub Copilot pricing.</p><p>Unlike Ant...

<p>Anthropic today quietly (as in <em>silently</em>, no announcement anywhere at all) updated their <a href="https://claude.com/pricing">claude.com/pricing</a> page (but not their <a href="https://support.claude.com/en/articles/11049762-choosing-a-claude-plan">Choosing a Claude plan page</a>, which shows up first for me on Google) to add this tiny but significant detail (arrow is mine, <a href="https://simonwillison.net/2026/Apr/22/claude-code-confus...

こんにちは！PR TIMES の河瀨翔吾（@shogogg）です。エンジニアリングマネージャーとして、プレスリリース配信サービス PR TIMES の開発や開発チームのマネジメント、業務改善、採用などを行っています。好き […]

Malicious Namastex.ai npm packages appear to replicate TeamPCP-style Canister Worm tradecraft, including exfiltration and self-propagation.

Listen to the episodeCyber conflict is easiest to misread when we treat it as an isolated technical event. In this episode of Chasing Entropy, Dave Lewis speaks with analyst and author Allie Mellen about her book Code War and why the cyber strategies of the United States, China, and Russia make more sense when viewed through the lens of history, doctrine, and political intent.From the Gulf War to Russia’s war in Ukraine, cyberattacks are most effective when they reinforce defined objectives with

What's new at Cloud Next '26

MCP servers are the best thing since sliced bread. They extend the capabilities of AI assistants and let them connect with third-party tools. If your service doesn't have one yet, it's time to prioritize it.

Nx Cloud now recommends which tasks are safe to auto-apply in Self-Healing CI, based on your CI history and verification success rate.

Identity, authorization, and oversight patterns for systems that act on their own.

Master Spring Security authentication from form login and JWT to enterprise SSO, with production-ready patterns across Spring Boot, Quarkus, and Micronaut.

AmebaLIFE事業本部のデジタルプロダクトデザインリードの本田です。 今回は、近年我々が取り組ん ...

はじめに カミナシで新規プロダクトの開発をしているShimmy(@naoya7076)です。 現在、新規プロダクトをプロトタイプとして開発しており、顧客に提供しながらフィードバックを得ています。Claude Codeをはじめ、開発の全工程でAIを活用しており、開発アイテムは予定以上のスピードで実装できています。 「AIでコーディングが速くなった。ではその空いた時間で何をやるのか？」 この問いに対して、自分が新規プロダクト開発で実践してきたことを書きます。 「もっと作る」はアンチパターン AIで実装速度が上がると、「もっと作ろう」という方向に引っ張られがちです。しかし、むやみに作るものを増やすの…

<p>OpenAI <a href="https://openai.com/index/introducing-chatgpt-images-2-0/">released ChatGPT Images 2.0 today</a>, their latest image generation model. On <a href="https://www.youtube.com/watch?v=sWkGomJ3TLI">the livestream</a> Sam Altman said that the leap from gpt-image-1 to gpt-image-2 was equivalent to jumping from GPT-3 to GPT-5. Here's how I put it to the test.</p><p>My prompt:</p><blockquote><p><code>Do a where's Waldo st...

Today we are absolutely thrilled to announce the release of TypeScript 7.0 Beta! If you haven’t been following TypeScript 7.0’s development, this release is significant in that it is built on a completely new foundation. Over the past year, we have been porting the existing TypeScript codebase from TypeScript (as a bootstrapped codebase that compiles […]The post Announcing TypeScript 7.0 Beta appeared first on TypeScript.

<blockquote cite="https://nial.se/blog/less-human-ai-agents-please/"><p>AI agents are already too human. Not in the romantic sense, not because they love or fear or dream, but in the more banal and frustrating one. The current implementations keep showing their human origin again and again: lack of stringency, lack of patience, lack of focus. Faced with an awkward task, they drift towards the familiar. Faced with hard constraints, they start negotiating with reality.</p></b...

Explore exportable charts for vulnerabilities, dependencies, and usage with Reports, Socket’s new extensible reporting framework.

<p><strong><a href="https://github.com/scosman/pelicans_riding_bicycles">scosman/pelicans_riding_bicycles</a></strong></p>I firmly approve of Steve Cosman's efforts to pollute the training set of pelicans riding bicycles.</p><p><img alt="The heading says "Pelican Riding a Bicycle #1 - the image is a bear on a snowboard" src="https://static.simonwillison.net/static/2026/pelican-poison-bear.jpg" /></p><p>(To be fair, most ...

An experimental API let's us put HTML within those opening and closing canvas tags and render it to the canvas, while remaining interactive. Lots of possibility here!

As AI assistants and privacy proxies challenge the capabilities of traditional bot detection, the Web needs new models for accountability. We believe that control should remain with the client, and that an open ecosystem of anonymous credentials is key to preserving user privacy while protecting origins from abuse.

`ariaNotify()` メソッドは、支援技術を使用しているユーザーに対して、動的なコンテンツの更新を通知するための命令的な方法を提供する Web API です。従来の WAI-ARIA の仕様では宣言的な属性を使用して支援技術に情報を伝える方法が一般的でしたが、`ariaNotify()` メソッドは JavaScript を使用して、特定のタイミングで支援技術に通知を送ることができるという点が特徴です。

GPT Image 2 is now available on .Vercel AI GatewayOpenAI's newest image model supports detailed instruction following, accurate placement and relationships between objects, and rendering of dense text across multiple aspect ratios.The model can render fine-grained elements including small text, iconography, UI elements, dense compositions, and subtle stylistic constraints, at up to 2K resolution. Non-English text is also supported and reads coherently.GPT Image 2 can produce photos, cinematic st

こんにちは、LINEヤフー株式会社の曾田です。普段はYahoo!マップの新アプリ向けバックエンド開発やスクラムマスターを担当しつつ、Orchestration Development Workshop...

The agent-led growth playbook: how to make AI agents discover, use, and pay for your developer tool, and defend against the ones you didn't invite. LLM discoverability, agent-first onboarding, agent payments, AX security.

Build a Node app that lets users connect Notion and list their pages with a refreshed access token, without implementing OAuth.

An opinionated checklist for the auth decisions you'll actually have to make.

Picking a library, choosing where to verify, and avoiding the mistakes that quietly break security.

A comprehensive technical SEO checklist for 2026 covering crawling, indexing, Core Web Vitals, JavaScript rendering, security, and visibility in AI-powered search engines.

Socket for Jira lets teams turn alerts into Jira tickets with manual creation, automated ticketing rules, and two-way sync.

We're making these changes to ensure a reliable and predictable experience for existing customers.The post Changes to GitHub Copilot Individual plans appeared first on The GitHub Blog.

<p><strong>Release:</strong> <a href="https://github.com/simonw/llm-openrouter/releases/tag/0.6">llm-openrouter 0.6</a></p> <blockquote><ul><li><code>llm openrouter refresh</code> command for refreshing the list of available models without waiting for the cache to expire.</li></ul></blockquote><p>I added this feature so I could try <a href="https://www.kimi.com/blog/kimi-k2-6">Kimi 2.6</a> on O...

The open source Git project just released Git 2.54. Here is GitHub’s look at some of the most interesting features and changes introduced since last time.The post Highlights from Git 2.54 appeared first on The GitHub Blog.

Although Astro has built-in support for Markdown via .md files, I'd argue that your Markdown experience can be enhanced with MDX.Markdown + Astro = ❤️ originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

A blog is a perfect use case for pre-rendering, so that the static build files can render all on their own. TanStack Start can even help with the server functions via middleware.

Investing in static code analysis tools might seem straightforward, but finding one that truly fits your team can be tough. Most tools promise the usual benefits: cleaner code, fewer bugs, better security, and more consistency in code reviews. Yet in reality, there’s a big difference between a tool the team embraces and one that everyone […]

Agents Week 2026 is a wrap. Let’s take a look at everything we announced, from compute and security to the agent toolbox, platform tools, and the emerging agentic web. Everything we shipped for the agentic cloud.

We built our internal AI engineering stack on the same products we ship. That means 20 million requests routed through AI Gateway, 241 billion tokens processed, and inference running on Workers AI, serving more than 3,683 internal users. Here's how we did it.

Learn about how we built a CI-native AI code reviewer using OpenCode that helps our engineers ship better, safer code.

Poorly handled session timeouts are more than a technical inconvenience. They can become serious accessibility barriers that interrupt essential online tasks, especially for people with disabilities. Here is how to implement thoughtful session management that improves usability, reduces frustration, and helps create a more accessible and respectful web.

Fixes 82 issues (addressing 381 👍). bun test --parallel, --isolate, --shard, and --changed, bun install streams tarballs to disk using 17x less memory, source maps use 8x less memory, 5.5x faster gzip with zlib-ng, Range request support in Bun.serve(), SHA3 in node:crypto and WebCrypto, ws+unix:// WebSocket client, and many bugfixes and Node.js compatibility improvements

Take a last chance to try out the Soft Navigations API before release with this final origin trial.

Kimi K2.6 from Moonshot AI is now available on .Vercel AI GatewayThe model focuses on long-horizon coding tasks, with generalization across languages such as Rust, Go, and Python and across front-end, devops, and performance optimization work. K2.6 can turn simple prompts into complete front-end interfaces with structured layouts.For autonomous, proactive agents that run continuously across multiple applications, K2.6 improves on API interpretation, long-running stability, and safety awareness d

<p><strong>TIL:</strong> <a href="https://til.simonwillison.net/google-sheets/datasette-sql">SQL functions in Google Sheets to fetch data from Datasette</a></p> <p>I put together some notes on patterns for fetching data from a Datasette instance directly into Google Sheets - using the <code>importdata()</code> function, a "named function" that wraps it or a Google Apps Script if you need to send an API token in an HTTP header (not supported ...

LINEヤフー株式会社では、技術に関するイベントや勉強会の主催・協賛などを行っています。最新情報は各リンク先でご確認ください。タイミングによっては、申し込み開始前や既に満席となっていることがあります。...

ソースコードや設定ファイルに含まれるAPIトークンやパスワードなどの機密情報を見つけるSecretlintのv12.0.0をリリースしました。Release v12.0.0 · secretlint/secretlintこのバージョンでは、次のように追加で検知できるようになったサービスが10個あります。Groq、Hugging Face、Notion、GitLab、Grafana、HashiCorp Vault、Vercel、Databricks、Docker、Figmaあわせて、@secretlint/secretlint-rule-preset-recommendのパッケージサイズを約80%削減しています。新しく追加された検出ルール@secretlint/secretlint-rule-preset-recommendに、次の10個のサービスのAPIトークンなどを検出するルールが追加されました。Groq - gsk_から始まるAPIキーHugging Face - hf_から始まるUser Access TokenNotion - secret_/ntn_から始まるIntegrat

こんにちは、エンジニアリングマネージャーの宮崎（@sucalul）です。 今回は3月9日(月)〜11日(水)に開催したPR TIMES HACKATHON 2026 Springでやったことについて書きたいと思います。 […]

<p><strong><a href="https://tools.simonwillison.net/claude-token-counter">Claude Token Counter, now with model comparisons</a></strong></p>I <a href="https://github.com/simonw/tools/pull/269">upgraded</a> my Claude Token Counter tool to add the ability to run the same count against different models in order to compare them.</p><p>As far as I can tell Claude Opus 4.7 is the first model to change the tokenizer, so it's only worth running...

AI agents are increasingly used to refactor large codebases, but many teams lack a clear understanding of where they succeed and where they fail. At 1Password, we applied agentic tooling to a multi-million-line Go monolith, and in this blog we'll share what worked, what broke, and what it means for teams adopting AI in production systems.Here’s the situation: 1Password runs a large Go monolith called B5. It has been the foundation of our product for years and continues to perform well in product

Deploy apps from a pnpm or npm workspace to Cloudflare Pages with one GitHub Actions workflow, using Nx as the task scheduler to rebuild only what changed.

Stytch works, until your enterprise deals outgrow it. Here's what to use instead.

A practical walkthrough of RFC 9449 for engineers: the proof JWT, server-issued nonces, key storage in the browser, and where DPoP fits next to mTLS.

How LLMs leak data, get hijacked, and turn friendly inputs into exploits, and why most of the defenses live outside the model.

The one layer of your app where 'seems to work' isn't good enough.

Most Shopify speed advice focuses on Lighthouse scores, but the real bottlenecks are oversized hero sections, uncontrolled app scripts, and poor loading strategy. Here's how to fix them properly.

<p><strong><a href="https://interconnected.org/home/2026/04/18/headless">Headless everything for personal AI</a></strong></p>Matt Webb thinks <strong>headless</strong> services are about to become much more common:</p><blockquote><p>Why? Because using personal AIs is a better experience for users than using services directly (honestly); and headless services are quicker and more dependable for the personal AIs than having them cl...

クリップボードを監視して、機密情報やAPIトークンが入ったら自動的にマスクするmacOSアプリ SecureClipboard を作りました。GitHub: secretlint/secure-clipboardテキストだけでなく画像にも対応していて、スクリーンショットに写り込んだトークンなどもVision frameworkでOCRしてマスクします。内部ではsecretlintを使って、AWS、GitHub、Slack、GCP、Azure、npm、Dockerなどのトークンを検出します。スキャン処理はすべてローカルで完結するmacOSアプリケーションなので、クリップボードの内容が外部に送信されることはありません。なぜ作ったかAPI Tokenをコピーして.envへ貼り付けたあと、そのトークンがクリップボード上に残り続けることがあります。そのまま別のウィンドウで⌘+Vしてしまい、Slackのメッセージ欄やLinearのIssueタイトル、ブラウザの検索バーなどに意図せずペーストしてしまう事故が起きやすいです。ペーストするまでクリップボードに何が入っているかは目に見えないので、気づきにく

GitHub CLI に `gh skill` コマンドが追加され、GitHub 上のエージェントスキルを簡単にインストール・検索・管理できるようになりました。この記事では `gh skill` コマンドの使い方について紹介します。

<p>Anthropic are the only major AI lab to <a href="https://platform.claude.com/docs/en/release-notes/system-prompts">publish the system prompts</a> for their user-facing chat systems. Their system prompt archive now dates all the way back to Claude 3 in July 2024 and it's always interesting to see how the system prompt evolves as they publish new models.</p><p>Opus 4.7 shipped the other day (April 16, 2026) with a <a href="https://claude.ai/">Claude.ai</a&...