Agentic workflows that run on every pull request can quietly accumulate large API bills. Here's how we instrumented our own production workflows, found the inefficiencies, and built agents to fix them.The post Improving token efficiency in GitHub Agentic Workflows appeared first on The GitHub Blog.

Safari Technology Preview Release 243 is now available for download for macOS Tahoe and macOS Sequoia.

No-Vary-Search lets HTTP caches ignore irrelevant query parameters such as UTM tags, while still keeping meaningful ones like product variants in the cache key.

NGINX Gateway Fabric 2.6 marks our initial foray into implementing enterprise grade security capabilities into the Gateway API standard. This release brings F5 WAF for NGINX support to a Gateway API implementation, making NGINX Gateway Fabric one of the first Gateway API implementations to offer enterprise-grade WAF capabilities natively. Here’s what else is new: F5 […]

This afternoon, we sent the following email to our global team. One of our core values at Cloudflare is transparency, and we believe it's important that you hear this directly from us because it’s a major moment at Cloudflare.

<p><strong>Release:</strong> <a href="https://github.com/simonw/llm-gemini/releases/tag/0.31">llm-gemini 0.31</a></p> <blockquote><ul><li><code>gemini-3.1-flash-lite</code> is <a href="https://cloud.google.com/blog/products/ai-machine-learning/gemini-3-1-flash-lite-is-now-generally-available">no longer a preview</a>. </li></ul></blockquote><p>Here's my write-up of the <a href="https://simonw...

A practical guide to reviewing agent-generated pull requests: what to look for, where issues hide, and how to catch technical debt before it ships.The post Agent pull requests are everywhere. Here’s how to review them. appeared first on The GitHub Blog.

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/big-words">Big Words</a></p> <p>I'm using my <a href="https://simonwillison.net/2026/Feb/25/present/">vibe coded macOS presentations tool</a> to put together a talk, and I wanted to add a slide with some text on it. The tool only accepts URLs, so I <a href="https://github.com/simonw/tools/pull/279">put together</a> a quick page that accepts query string arguments ...

<p><strong><a href="https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/">Behind the Scenes Hardening Firefox with Claude Mythos Preview</a></strong></p>Fascinating, in-depth details on how Mozilla used their access to the Claude Mythos preview to locate and then fix hundreds of vulnerabilities in Firefox:</p><blockquote><p><strong>Suddenly, the bugs are very good</strong></p><p>Just a few months ago...

<p>There weren't a lot of big new announcements from Anthropic at yesterday's Code w/ Claude event, but the biggest by far was the deal they've struck with SpaceX/xAI to use "all of the capacity of their Colossus data center".</p><p>As I mentioned in my <a href="https://simonwillison.net/2026/May/6/code-w-claude-2026/">live blog of the keynote</a>, that's the one with the <a href="https://www.politico.com/news/2025/05/06/elon-musk-xai-memphis-gas-turbines-air-po...

Two weeks ago we announced that we had identified and fixed an unprecedented number of latent security bugs in Firefox with the help of Claude Mythos Preview and other AI models. In this post, we’ll go into more detail about how we approached this work, what we found, and advice for other projects on making […]The post Behind the Scenes Hardening Firefox with Claude Mythos Preview appeared first on Mozilla Hacks - the Web developer blog.

I will explain how my mum inspired this 2026 Mother’s Day scrollytelling experiment — but also, how she inspired my approach to dev and life.A Scrollytelling Gift for Mum on Mother’s Day 2026 originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

When a critical Linux kernel privilege escalation was publicly disclosed, Cloudflare's security and engineering teams detected, investigated, and mitigated the threat across our global fleet, confirming zero customer impact and no malicious exploitation.

Yarn Classic is frozen, and its lack of recursive transitive updates is becoming a real liability in an era where CVEs land weekly. It's time to move on.

You can now store JSON values in , extending the existing support for boolean, string, and number values. This allows you to collapse what used to take several related flags into a single feature flag.Vercel FlagsFor example, to A/B test how a different model performs, you can now define a single flag. This allows you to manage one flag that serves the full object rather than managing , , and separately:modelai_modelai_temperatureai_max_tokensUse Vercel Flags to progressively route traffic to a

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/github-repo-stats">GitHub Repo Stats</a></p> <p>One of the things I always look for when evaluating a new GitHub repository is the number of commits it has... but that number isn't visible on GitHub's mobile site layout. I built this tool to fix that, using this prompt:</p><blockquote><p><code>Given a GitHub repo URL or foo/bar repo ID show information about that ...

Let's try a fresh take on animating focus rings around a page. Flying focus, as it were. Only instead of measuring where elements are ourselves, we'll let View Transitions figure it out.

Astro 6.3 introduces experimental advanced routing with Hono support, image redirect handling, resilient island hydration, and more.

Get more flexible autogenerated sidebars, improved styling, and stronger multilingual docs support with the latest Starlight release.

The HTML Sanitizer API is a new browser feature that helps developers prevent XSS vulnerabilities by safely sanitizing HTML content.

Bump minimum Fumadocs version.

Most teams shift left by adding scanners and gates after code exists. The real shift is encoding security, quality, and compliance as inputs to planning.

This article is about how a developer can make the most of AI tools, by making good architectural decisions and reviewing the code the AI generates.

This blog has been adapted from an excerpted section of 1Password’s ebook: Credential sprawl: How AI increases the risks. To read the complete ebook and learn more about the evolving challenges of credential sprawl, click here.The proliferation of credentials outside centralized visibility and control is known as “credential sprawl,” and attackers are eager to take advantage of it. Unfortunately, credential management is a broad problem that only grows in complexity as organizations add new tool

Introducing new features in 1Password Enterprise Password Manager – MSP Edition to reduce client onboarding effort and give MSPs greater control over policies, access, and usage.Setting up and managing client environments often involves repetitive, manual work. Each new managed company requires policy setup, access configuration, and ongoing oversight. Repeating this across environments slows onboarding, introduces inconsistencies, and makes it harder to maintain control.To address this, 1Passwo

What to validate, what to avoid, and how to keep your tokens out of trouble.

In a chatbot, prompt injection produces a wrong answer. In an agentic system, it produces a wrong action.

WorkOS uses AI-powered code generation to build and maintain SDKs across multiple languages from a single OpenAPI spec.

Electron 42 has been released! It includes upgrades to Chromium 148.0.7778.96, V8 14.8, and Node v24.15.0.

はじめに こんにちは。MIU AI戦略本部でAIエンジニアをしている田中宏樹です。 LLMを活用した ...

How to build the “Trust Layer” for Github Copilot Coding Agents without brittle scripts or black-box judgements by using dominatory analysis.The post Validating agentic behavior when “correct” isn’t deterministic appeared first on The GitHub Blog.

Five malicious NuGet packages impersonate Chinese .NET libraries to deploy a stealer targeting browser credentials, crypto wallets, SSH keys, and local files.

Mat Marquis on Google pulling the web standards equivalent of U2 album marketing:As a Chrome user, you’ll have received Gemini Nano in the form of a 4GB transfer recently; no permission asked or required. If you remove it, …Google’s Prompt API originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

On May 5, 2026, DENIC published broken DNSSEC signatures for the .de TLD, making millions of domains unreachable. Here's what 1.1.1.1 saw, how serve stale cushioned the impact, and how we restored resolution.

<p>I'm at Anthropic's Code w/ Claude event today. Here's my live blog of the morning keynote sessions.</p> <p>Tags: <a href="https://simonwillison.net/tags/ai">ai</a>, <a href="https://simonwillison.net/tags/generative-ai">generative-ai</a>, <a href="https://simonwillison.net/tags/llms">llms</a>, <a href="https://simonwillison.net/tags/anthropic">anthropic</a>, <a href="https://simonwillison.net/tags/claude">claude</a&gt...

<p>I recently talked with Joseph Ruscio about AI coding tools for Heavybit's High Leverage podcast: <a href="https://www.heavybit.com/library/podcasts/high-leverage/ep-9-the-ai-coding-paradigm-shift-with-simon-willison">Ep. #9, The AI Coding Paradigm Shift with Simon Willison</a>. Here are some of my highlights, including my disturbing realization that vibe coding and agentic engineering have started to converge in my own work.</p><p>One thing I really enjoy about ...

Most grid layouts sit in neat rows, perfectly aligned, like soldiers in formation. But sometimes you want something with more rhythm like, say, a zigzag pattern. Here's how to do it with CSS Grid.Making Zigzag CSS Layouts With a Grid + Transform Trick originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

The Mindful Design Toolkit is a collection of free, open source templates, workshops, and resources, built to empower your design journey. To coincide with the launch, we’ve also opened up over two hours of free lessons from the Mindful Design course.The toolkitFor a long time, open source projects and packages have given developers a wealth of resources to learn, improve, or simply make our lives easier. While there are some fantastic open source design tools out there, when it comes to the act

An honest perspective on building local-first web apps in 2026, written for developers who’ve been doing this long enough to be skeptical of silver bullets.

Get a preview of the next Chrome release with this post detailing the features in the current beta.

Stateless auth, RLS-scoped clients, and CORS on the server, without the boilerplate.

`sibling-index()` は要素の兄弟要素の中でのインデックスを返します。`sibling-index()` 関数により取得したインデックスを使用することにより、スタッガー（時間差）アニメーションや、色相を段階的に変えるといった、兄弟要素の位置に基づいたスタイリングが可能になります。これまでは JavaScript を使用して実装する必要があったような効果も、純粋な CSS で実現できるようになります。

The perils of logging in

Most marketing sites ship a SPA framework just to toggle a sidebar. Here's how we migrated an Astro site from React and Ark UI to native Web Components: 100 KB less JavaScript, no functionality lost, and a tiny library called nanotags that makes Custom Elements enjoyable to write.

The thinking and intentionality behind our latest brand evolution, website, and what it says about the future of Remix.

Listen to this episode on Apple PodcastsnullListen nowListen to this episode on SpotifynullListen nowSecurity is tied to business operations in many (often unappreciated) ways, but the connection is rarely more visible or consequential than during an acquisition or partnership. In those deals, a company stakes its reputation and finances on another company, and a lapse in security can throw the whole thing into chaos.That’s the subject of this episode of Chasing Entropy, in which Dave Lewis talk

The 2026 guide to SSO, SCIM, MCP, audit logs, RBAC, and the rest of the B2B SaaS enterprise readiness checklist.

A practical comparison of the leading MCP authentication providers across OAuth 2.1 support, enterprise identity, and integration paths.

A detailed glimpse at Project Horizon: an internal code factory at WorkOS.

Modern phones are not simple rectangles. They have rounded corners, camera cutouts, dynamic islands, and home indicators that double as…

Pro teams can now choose how Git committers to private repositories are added to their Vercel team. Choose your approval preference in .team settingsLearn more about and .collaboration settingstroubleshooting project collaborationRead more: non-team committers with Vercel accounts are automatically added to your team and their deployments proceed immediately. Added members count toward your team seats at standard Pro pricing.Auto Approval: deployments are blocked until an owner approves the new

You can now secure native integration resources by restricting where they can be used. Setting a resource to removes non-production access and protects credentials as . This makes it so secret values or no longer readable from the dashboard or CLI Production onlysensitive environment variablesFrom the integration resource , select and save. We recommend that you rotate the secrets of the integration resource after saving.SettingsAllowed Environments → Production onlyOnce applied:Reverting this s

Matt Smith makes a lot of good points in his article about no longer chaining things in JavaScript. Just those first two code samples in the post say a lot, but stick around for all the samples and learn a little somethin’. To me, it’s the inevitability that I’m going to need to log something between the […]

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-referrer-policy/releases/tag/0.1">datasette-referrer-policy 0.1</a></p> <p>The OpenStreetMap tiles on the Datasette <a href="https://datasette.io/global-power-plants/global-power-plants">global-power-plants demo</a> weren't displaying correctly. This turned out to be caused by two bugs.</p><p>The first is that the CAPTCHA <a href="https://github.com/s...

<p><strong><a href="https://andonlabs.com/blog/ai-cafe-stockholm">Our AI started a cafe in Stockholm</a></strong></p>Andon Labs previously <a href="https://andonlabs.com/blog/andon-market-launch">started an AI-run retail store</a> in San Francisco. Now they're running a similar experiment in Stockholm, Sweden, only this time it's a cafe.</p><p>These experiments are interesting, and often throw out amusing anecdotes:</p><blockq...

The open web is a critical platform for applications that handle highly sensitive data, from private communications to financial transactions and medical records. Traditionally, servers are trusted to deliver the appropriate code and resources for their web applications to browsers, who then provide a secure and isolated environment for their execution. In some circumstances, this […]The post Trustworthy JavaScript for the Open Web appeared first on Mozilla Hacks - the Web developer blog.

What maintainers are telling us, what we've shipped, and how to celebrate the people behind open source.The post Welcome to Maintainer Month: Celebrating the people behind the code appeared first on The GitHub Blog.

Design always starts with function — function shapes form. But if that function can’t be made completely invisible and people still have to interact with it, it inevitably becomes part of their experience. In this article, Kyrylo Levashov shares four common software design assumptions.

You can now access Observability Plus metrics in the Vercel CLI. Query observability data for any Vercel team or project using the new command. Coding agents can also leverage this new command to better analyze the performance, reliability, or security of applications on Vercel, as well as debug issues.vercel metricsThis feature is available in public beta for all teams with Observability Plus. about .Learn morevercel metricsRead more

Full-page accessibility tree by default, ad provenance tooltips, enhanced debugging for Speculation Rules, and major updates for DevTools for agents.

CSS name-only container queries, lazy-loading for video and audio, and the Prompt API.

Both Supabase Realtime and Supabase ETL read changes from your Postgres database using logical replication. But they solve very different problems. Here is how to pick the right one.

KIKO Milano on Vercel:Environments without the bottleneckShipping faster without the operational taxNo more performance variability during traffic spikesEliminated 3 weeks of Black Friday infrastructure prep75% decrease in app build timesWent from minimal releases to deploying multiple times per dayManual scaling window: Black Friday prep began 2–3 weeks ahead of the event, then had to be unwound after the traffic spike passed.Infrastructure configuration: The infra team manually adjusted AWS EC

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-llm/releases/tag/0.1a7">datasette-llm 0.1a7</a></p> <blockquote><ul><li>Mechanism for <a href="https://github.com/datasette/datasette-llm/blob/main/README.md#configuration">configuring default options</a> for specific models.</li></ul></blockquote><p>Part of Datasette's evolving support mechanism for plugins that use LLMs. It's no...

<p><strong>Release:</strong> <a href="https://github.com/simonw/llm-echo/releases/tag/0.5a0">llm-echo 0.5a0</a></p> <blockquote><ul><li>New <code>-o thinking 1</code> option to help test against <a href="https://llm.datasette.io/en/latest/changelog.html#a0-2026-04-28">LLM 0.32a0</a> and higher.</li></ul></blockquote><p>This plugin provides a fake model called "echo" for LLM which doesn't run an...

ソースコードや設定ファイルに含まれるAPIトークンやパスワードなどの機密情報を見つけるSecretlintのv13.0.0をリリースしました。Release v13.0.0 · secretlint/secretlintこのバージョンの主な変更点は次の3つです。ファイル探索時に.gitignoreをデフォルトで尊重するように変更（Breaking Change）グロブメタ文字を含むパスが実在する場合はリテラルとして扱うように変更Tailscale/Stripeの検出ルールを新規追加、CloudflareをcanaryからrecommendへPromoteBreaking Change: .gitignoreをデフォルトで尊重v13.0.0では、ファイル探索時に.gitignoreの内容をデフォルトで尊重するようになりました。ripgrepと同じ挙動で、ネストされた.gitignoreファイルもサブディレクトリへカスケードして適用されます。深い階層のネガティブルール（!）で上位の判定を上書きできます。feat!: respect .gitignore by default via @se

<blockquote cite="https://daringfireball.net/2026/05/y_combinators_stake_in_openai"><p>So it’s well known that Y Combinator owns <em>some</em> stake in OpenAI. But how big is that stake? This seems like devilishly difficult information to obtain. I asked around and a little birdie who knows several OpenAI investors came back with an answer: Y Combinator owns about 0.6 percent of OpenAI. At OpenAI’s current <a href="https://openai.com/index/accelerating-the-next-phase-...

Master Playwright end-to-end testing: setup, authentication (basic, 2FA, passkeys), mocking, fixtures, and debugging with UI mode and Trace Viewer.

April had 8% revenue growth. New focus: Claude Code + Val Town MCP

A story of validating product demand on a $2K budget with 128 cold-traffic signups, an A/B winner at 95% confidence, and a sequenced playbook founders can run themselves.

A password manager should make everyday tasks feel simple. Whether that's:Saving a new passwordSigning in on your phoneFinding the right itemMoving your data from another password managerWe’ve made a set of updates across 1Password in our latest release to improve exactly these moments. Let's get into it!A direct way to move your credentials into 1PasswordSwitching password managers hasn’t always felt straightforward. Exporting sensitive data into files, moving them yourself, and importing them

Authentication in React Router v7 happens in loaders, not useEffect. A complete guide to server-side sessions, protected routes, and enterprise SSO.

A hands-on guide to implementing an MCP server in Python: tools, resources, prompts, transports, and authentication, with a full worked example.

<p><strong><a href="https://simonw.github.io/granite-4.1-3b-gguf-pelicans/">Granite 4.1 3B SVG Pelican Gallery</a></strong></p>IBM released their <a href="https://research.ibm.com/blog/granite-4-1-ai-foundation-models">Granite 4.1 family</a> of LLMs a few days ago. They're Apache 2.0 licensed and come in 3B, 8B and 30B sizes.</p><p><a href="https://huggingface.co/blog/ibm-granite/granite-4-1">Granite 4.1 LLMs: How They’re Built&l...

<blockquote cite="https://blog.andymasley.com/p/data-center-land-use-issues-are-fake"><p>[...] Between 2000 and 2024, farmers sold in total a Colorado-sized chunk of land all on their own, 77 times all land on data center property in 2028, and grew more food than ever on what was left. None of this caused any problems for US food access.</p><p>And then, in the middle of all this, a farmer in Loudoun County sells a few acres of mediocre hay field to a hyperscaler for ten ...

<p>I just sent out the April edition of my <a href="https://github.com/sponsors/simonw/">sponsors-only monthly newsletter</a>. If you are a sponsor (or if you start a sponsorship now) you can <a href="https://github.com/simonw-private/monthly/blob/main/2026-04-april.md">access it here</a>.</p><p>In this month's newsletter:</p><ul><li>Opus 4.7 and GPT-5.5, both with price increases</li><li>Claude Mythos and LLM security rese...

pnpm 11 turns on a 1-day Minimum Release Age and blocks exotic subdeps by default, adding safeguards against fast-moving supply chain attacks.

<p><strong>Research:</strong> <a href="https://github.com/simonw/research/tree/main/tre-python-binding#readme">TRE Python binding — ReDoS robustness demo</a></p> <p>If it's <a href="https://simonwillison.net/2026/May/4/redis-array/">good enough for antirez</a> to add to Redis I figured Ville Laurikari's <a href="https://github.com/laurikari/tre/">TRE</a> regular expression engine was worth exploring in a little more detail.</p...

Twenty-nine hours after [email protected] and @cap-js/[email protected] were compromised by the Shai-Hulud worm, a third major npm package has fallen: [email protected], the official Node.js SDK for the Intercom customer messaging platform, with 361,510 weekly downloads — more than the two yesterday’s compromised packages combined. The malicious version was published today at 14:41 UTC via a hijacked GitHub Actions OIDC publishing pipeline, confirming the worm is actively propagating through CI/CD infra

On April 30, 2026, a supply chain compromise was identified in the lightning PyPI package — versions 2.6.2 and 2.6.3. The project’s GitHub account shows signs of compromise, with issues reporting the attack closed rapidly by suspicious responses.

StepSecurity has detected a new npm supply chain attack campaign using preinstall hooks to download the Bun JavaScript runtime and execute an 11 MB obfuscated payload. At least two SAP-ecosystem packages are confirmed compromised so far.

A malicious version of elementary-data (0.23.3) was published to PyPI and is, at the time of writing, still listed as the latest release. The same release run also pushed a multi-arch container image to GitHub Container Registry at ghcr.io/elementary-data/elementary, tagged both 0.23.3 and latest.

@bitwarden/[email protected] — the official command-line interface for the Bitwarden password manager — was found compromised on npm. A malicious preinstall hook silently bootstraps the Bun JavaScript runtime and launches a 9.7 MB obfuscated credential stealer that targets developer secrets, GitHub Actions environments, and — explicitly — AI coding tool configurations including ~/.claude.json and MCP server configs. All stolen data is encrypted with AES-256-GCM and exfiltrated to audit.checkmarx.cx,

xinference

On April 21, 2026, malicious versions of pgserve were published to npm. pgserve is an embedded PostgreSQL server for development — zero config, auto-provisioned databases, designed to be dropped into any Node.js project. The compromised versions (1.1.11, 1.1.12, and 1.1.13) inject a 1,143-line credential-harvesting script that runs via postinstall on every npm install.

StepSecurity adds cooldown and group support for Dependabot configuration, giving teams control over update frequency and PR batching across npm, pip, Docker, and GitHub Actions. Reduce alert fatigue. Merge more patches. Strengthen your supply chain.

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/redis-array">Redis Array Playground</a></p> <p>Salvatore Sanfilippo submitted <a href="https://github.com/redis/redis/pull/15162">a PR</a> adding a new data type - arrays - to Redis. </p><p>The new commands are <code>ARCOUNT</code>, <code>ARDEL</code>, <code>ARDELRANGE</code>, <code>ARGET</code>, <code>ARGETRAN...

:nth-child supports the keyword `of` in the argument which can be super useful on it's own. Combo that with a :has() selector to do some pretty wild stuff!

OpenClaw builders will gather at GitHub HQ during Microsoft Build 2026 for demos and conversations. Join in person, or watch the livestream on Twitch.The post Register now for OpenClaw: After Hours @ GitHub appeared first on The GitHub Blog.

Getting a multi-column of cards to line up equally is is a headache we've all faced, and it gets even harder when working with fixed heights.Fixed-Height Cards: More Fragile Than They Look originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

Branching without Git is now the default for all Supabase projects.

General Intelligence on VercelMigrating Cofounder's Python backend to VercelRunning Cofounder as a multi-tenant app on Vercel8-person team (5 engineers) shipping 10 PRs and 70+ commits per engineer, per day4,000+ preview branches with ~100 parallel app versions running at any moment90% of SRE work automated through Vercel and their own agent (Cofounder)Cofounder launches with a managed Vercel account for every customerGeneral Intelligence is building a platform that lets any founder run a compan

Today we’re open sourcing : a security harness powered by coding agents. It runs on your own infrastructure and surfaces hard-to-find issues in large codebases. deepsecYou can run on your laptop without setting up a cloud service for privileged source code access. For inference, you can use your existing Claude or Codex subscription without any additional setup. deepsecScanning large repos can take multiple days on a single machine. To run research jobs in parallel, supports optional fanout to V

私自身は Web 開発の経験はありますが、iOS アプリ開発の経験はほとんどありません。このようなバックグラウンドを持つ私がコーディングエージェントである Codex を利用して iOS アプリ開発をどこまで進められるか試してみました。コーディングエージェントは単に中身を見ずにアプリケーションを作るいわゆる「バイブコーディング」的な使い方だけでなく、なぜこのコードが必要なのか？より良い設計にできないか？といったことを随時質問しながら進める学習用途の使い方が中心です。

The latest National Institute of Standards and Technology (NIST) draft guidance on mobile driver’s licenses (mDLs) is about more than one use case or credential type. While the draft primarily focuses on the financial sector due to its high-assurance requirements, the bigger takeaway is that government-issued identity can be cryptographically verified and shared more selectively. This provides strong, cryptographically verifiable evidence of identity and shows what a more interoperable digital i

How identity providers learn what your SCIM server can do, through three discovery endpoints.

Email and IDP ID both fail as universal join keys. The fix is sensible defaults with real escape hatches.

Can a CDN help your site rank higher in search results? We break down the SEO benefits of using a CDN and walk through setting one up with Cloudflare.

Polypane 29 introduces an updated panel UI, a new network panel for inspecting requests, a new snippet store for discovering and installing…

<blockquote cite="https://www.anthropic.com/research/claude-personal-guidance"><p>We used an automatic classifier which judged sycophancy by looking at whether Claude showed a willingness to push back, maintain positions when challenged, give praise proportional to the merit of ideas, and speak frankly regardless of what a person wants to hear. Most of the time in these situations, Claude expressed no sycophancy—only 9% of conversations included sycophantic behavior (Figure 2). But ...

Playwright CLI v0.1.9 で追加されたアノテーション機能は AI エージェントに視覚的なフィードバックを与えるために便利な機能です。アノテーション機能を利用すると、ブラウザの要素を選択して、その要素に対するコメントを残すことができます。AI エージェントはこのアノテーションが残された要素を簡単に特定できるため、どのコードを修正すればよいのかを判断しやすくなります。

png-cmp is a program I built that checks if two PNGs are visually equivalent. It’s inspired by the cmp command. Here’s how you use it:png-cmp a.png b.pngLike cmp, it silently exits if the images are identical, and gives an error if they’re different.Unlike cmp, it checks pixel data, not binary data. PNGs can look the same but be stored differently. For example, png-cmp ignores text metadata.I was recently doing an experiment where I wanted to check if two PNGs were visually identical, so I built

<p><strong><a href="https://simonwillison.net/elsewhere/sighting/">/elsewhere/sightings/</a></strong></p>I have a new camera (a Canon R6 Mark II) so I'm taking a lot more photos of birds. I share my best wildlife photos on <a href="https://www.inaturalist.org/">iNaturalist</a>, and based on yesterday's <a href="https://simonwillison.net/2026/May/1/inat-sightings/">successful prototype</a> I decided to add those to my blog.</p>&lt...

We have completed a massive engineering effort to make our infrastructure more resilient. Through new tools like Snapstone and the Engineering Codex, we've implemented safer configuration changes and automated best practices to prevent future incidents.

The remediated findings include organization permission bugs, stale project access after transfers, OIDC replay edge cases, audit logging gaps, and an IDOR in API token deletion.

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/inat-sightings">iNaturalist Sightings</a></p> <p>I wanted to see my <a href="https://www.inaturalist.org">iNaturalist</a> observations - across two separate accounts - grouped by when they occurred. I'm camping this weekend so I built this entirely on my phone using Claude Code for web.</p><p>I started by building an <a href="https://github.com/simonw/inaturali...

TanStack Form offers a powerful solution for handling form complexity in React. It emphasizes strong typing, performance, and detail management.

How we built a Slack-native AI blog bot on Cloudflare Workers + Durable Workflows — proactive proposals, durable retries, and a multi-model writer pipeline.

Developers have been experimenting with HTML-in-Canvas, a hexagonal world map-analytics feature, a web-based OS for e-ink devices, replacing image sources using the content property, and more. This is What’s !important #10.What’s !important #10: HTML-in-Canvas, Hex Maps, E-ink Optimization, and More originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

Dynamic Workflows is a library that lets you route durable execution to tenant-provided code on the fly. Built on Dynamic Workers, it enables platforms to serve millions of unique workflows at near-zero idle cost.

Fraude DesignWhy slop it when you can Fraude it?heerich.jsA really nice tool for generating 3D voxel scenes with fantastic documentation and examples.Searching for birdsSo much good stuff in this piece. It's so refreshing to see this sort of thing without scroll-jacking too.The sites we lostA huge archive of old websites from the older days that would have otherwise vanished or been taken over by ads.Digital Independence DayWe've shared a few things to help you get away from big tech over time b

Streaming UIs are an easy concept on the surface, but are quite complicated in practice. There are many considerations that need to be accounted for, from layout shifts and motion preferences to proper markup and various states, that may not be instantly obvious. What happens if the stream is interrupted? Can users tab through the UI on the keyboard as it shifts? What ARIA attributes might be needed?

Try out the Container Timing performance measurement API in origin trial from Chrome 148

GitBook on Vercel30,000 documentation sites hosted on a single Vercel deployment120 million monthly page views served from the edge40,000 cache invalidations processed daily, each resolved in under 300ms41% of all traffic now comes from AI crawlers and automated systemsGitBook hosts 30,000 documentation sites on Vercel, serving 120 million page views every month. Companies like n8n, Nvidia, and Zoom trust the platform to keep their docs fast and current. For modern engineering teams and coding a

JavaScript Primer (https://jsprimer.net/) では、毎年ECMAScriptの新しい仕様への追従を行っています。ES2026は2026年6月に正式リリースされる予定です。TC39ではすでにFeature Freezeが行われ、ES2026に入る予定の機能が確定しています。TC39 Process今年もES2026で追加される機能についての対応Issueを作成しました。これらのIssueを一緒に進めてくれるContributorと、JavaScript Primerの活動を支援してくれるSponsorを募集しています。次のDiscussionにコメントをください募集しているDiscussion: ES2026に対応するIssueへのContributorを募集しています · js-primer/js-primer · DiscussionsES2026対応のIssueES2026のMeta Issueとして次のIssueがあります。ES2026の対応 · Issue #1869 · js-primer/js-primer具体的に対応するものとして次の

can now connect to hosted Postgres databases, including , , , , and . To enable a connection, add the database host to your Sandbox's allowed domains.Vercel SandboxNeonSupabaseAWS RDSNilePrisma PostgresWhen is used with Vercel Sandbox, the sandbox firewall restricts outbound network access by checking the domain name during a connection's TLS handshake. This works seamlessly for HTTPS traffic, where the domain is visible at the start of the connection.SNI based filteringPostgres, however, negoti

GitHub account BufferZoneCorp published sleeper packages that later added credential theft, GitHub Actions tampering, fake go wrappers, and SSH persistence.

I wrote a simple script that translates text at the command line, completely offline. Here’s an example of how it works on my computer:echo '¿Cómo estás?' | translate# => How are you?It combines a few tools:TranslateGemma, a special-purpose language model for translationOllama, a tool for running language models locallyEfficient Language Detector, a library that detects the language for a piece of textHere’s the pseudocode of how it works:source = read_stdin()# Uses Efficient Language Detecto...

Highlightsno-unused-private-class-members SuggestionsThe no-unused-private-class-members rule now provides suggestions to remove reported unused private class members.For example, for the following code, in which the rule reports #doSomethingElse as unused:class C { /** * My public method. */ doSomething() { } /** * My private method. */ #doSomethingElse() { }}12345678910111213141516Copy code to clipboard It will now suggest removing #doSomethingElse. After applying the suggestion, the method an

Whether you’re juggling travel bookings with friends or packing the kids’ suitcases, planning a summer vacation can be far from relaxing. And once you get to your destination, the confirmation codes and passport numbers are always buried in the group chat when you need them most. But when you have all your travel essentials saved securely in one place, you can skip the scramble and put safe travels on autopilot. Before you take off this summer, check these tips to keep your information safe and

This month we got a ton of improvements to SvelteKit's remote functions, TypeScript 6.0 support and the experimental release of community plugins in the Svelte CLI.Svelte was also featured in ThoughtWorks Technology Radar!Big month, bigger showcase... so let's dive in!What's new in SvelteKitSvelteKit now supports TypeScript 6.0 (2.56.0, Docs, #15595)form fields can now specify a default value using field.as(type, value), reducing boilerplate for pre-populated forms (2.56.0, Docs, #15577)Remote f

The Ember project is excited to announce the release of Ember v6.12. Following Ember's Major Version Policy, version 6.12 will be the final release of the 6.x series. This release of Ember.js is an LTS (Long Term Support) candidate. LTS candidates prioritize stability over the addition of new features, and have an extended support schedule.Ember.js 6.12Ember.js 6.12 does not introduce any new features in this release, but we have done some major improvements to the internal structure of the repo