<p><strong>Release:</strong> <a href="https://github.com/simonw/datasette/releases/tag/1.0a30">datasette 1.0a30</a></p> <p>The big new feature in this alpha is a new customizable "Jump to..." menu, described in detail in <a href="https://datasette.io/blog/2026/jump-menu/">The extensible "Jump to" menu in Datasette 1.0a30</a> on the Datasette blog. You can try it out by hitting <code>/</code> on <a href="https://latest.datasett...

はじめに 株式会社 WinTicket でエンジニアをしている長田(@ostk0069)です。 WI ...

こんにちは！システムセキュリティ推進グループの小笠原 (@gassara5) です。 最近では連日の ...

<blockquote cite="https://lucumr.pocoo.org/2026/5/24/pi-oss/"><p>The most frustrating failure mode right now is that people submit issues that are not in their own voice. They contain an observed problem somewhere, but it has been thrown into a clanker and the clanker reworded it and made a huge mess of it. Typically, it was prompted so badly that the conclusions produced are more often than not inaccurate but always full of confidence. The result is complete guesswork on root cause...

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/usborne-mad-house">Mad House — Usborne Creepy Computer Games</a></p> <p>Via <a href="https://news.ycombinator.com/item?id=48258194">Hacker News</a> I learned that UK publisher Usborne published <a href="https://usborne.com/us/books/computer-and-coding-books">free PDFs of their 1980s Computer Books</a>, some of which I remember working through on my Commodore 64 as...

2026-07-28 MCP 仕様リリース候補の最も大きな変更点は、MCP サーバーがステートレスファーストになることです。これにより、MCP サーバーはシンプルなロードバランサーの背後でスケーリングできるようになります。また `Mcp-Method` ヘッダに基づいたトラフィックのルーティングや、サーバー応答のキャッシュなども可能になります。この記事では 2026-07-28 MCP 仕様リリース候補におけるステートレスなプロトコルの変更点について紹介します。

pnpm 11.3 adds support for npm's staged publishing (pnpm stage), the new trustLockfile setting for skipping the supply-chain verification pass on already-trusted lockfiles, and native implementations of pnpm pkg, pnpm repo, and pnpm set-script. It also adds a --skip-manifest-obfuscation flag for pack / publish and cuts the memory footprint of minimumReleaseAge / trustPolicy verification on large workspaces.

<p><strong><a href="https://benmyers.dev/blog/on-the-dl/">On the <dl></a></strong></p>I learned a few new-to-me things about the <code><dl></code> element from this article by Ben Meyer:</p><ol><li>A <code><dt></code> can be followed by <em>multiple</em> <code><dd></code></li><li>You can optionally group the <code>&lt...

On May 22, 2026, an attacker with push access to the Laravel-Lang GitHub organization rewrote every git tag across multiple popular Composer packages within a single 15 minute window. Anyone running composer update or installing fresh against laravel-lang/http-statuses, laravel-lang/actions, or laravel-lang/attributes now pulls a payload that exfiltrates CI secrets to a typosquatted attacker domain. StepSecurity confirmed end to end exploitation in an isolated runner and has filed security issue

<p><strong><a href="https://davidoks.blog/p/ai-is-killing-the-cheap-smartphone">The memory shortage is causing a repricing of consumer electronics</a></strong></p>David Oks provides the clearest explanation I've seen yet of why consumer products that use memory are likely to get significantly more expensive over the next few years.</p><p>The short version is that memory manufacturers - of which there are just three remaining large companies - have...

A forged commit. A workflow file disguised as a routine CI optimization. Within 6 hours, 5,561 GitHub repositories were backdoored. Cloud credentials harvested. SSH keys stolen. OIDC tokens minted and exfiltrated before any runner finished. The attacker never touched your application code, only your pipeline. Most repositories had no idea it happened.

We are committed to empowering every developer by building an open, secure, and AI-powered platform that defines the future of software development.The post GitHub recognized as a Leader in the Gartner® Magic Quadrant™ for Enterprise AI Coding Agents for the third year in a row appeared first on The GitHub Blog.

Despite the countless number of online resources, it’s easy to get confused when trying to center an element. There are documented solutions, but do you really understand why the code you picked works? Let's look at the current state of centering options today in 2026. The State of CSS Centering in 2026 originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

What people say, feel, think, and do are often very different things. To understand the underlying reasons for user behavior, it helps to look beyond the surface and explore hidden motivations, root causes, and the different layers of reality that shape how people act. Brought to you by Measuring UX Impact, **friendly video course on UX** and design patterns by Vitaly.

On Google declaring war on the WebThe time to fight back against Google is right now or we end up with AOL, slop edition.Mechanical PencilBeautifully illustrated guides on how stuff works, by mechanical engineer and artist, Bryan Macomber.Nearly 50,000 Lake Tahoe residents have to find a new power source after their energy source looks to redirect lines to data centersBut AI is a bit useful though, right?ParachordSome great looking software that should make organising your combined stream-based

`import defer`, six new subcommands (`deno transpile`, `deno pack`, `deno bump-version`, `deno ci`, `deno why`, `deno audit fix`), network debugging in Chrome DevTools, framework-aware `deno compile`, and 3.66x faster cold npm installs.

Another Google I/O is behind us and we have covered all the exciting extensions updates!

Nx Console VS Code Extension Compromised

<p><strong><a href="https://www.ftc.gov/news-events/news/press-releases/2026/05/ftc-require-cox-media-group-two-other-firms-pay-nearly-1-million-settle-charges-they-deceived">FTC to Require Cox Media Group, Two Other Firms to Pay Nearly $1 Million to Settle Charges They Deceived Customers About “Active Listening” AI-Powered Marketing Service</a></strong></p>Back in 2024 Cox Media Group were caught trying to sell advertisers packages based on "active listening...

はじめに はじめまして！埼玉大学大学院 修士2年の 半澤 恭介 です。 2026年4月 ...

What if anyone in a company could build the exact software they need, without writing a single line of code? Agentic software factories, powered by GenAI, are making this possible - and they're redefining what it means to be a software engineer.

How audience-bound tokens work, and why they're required for secure MCP authorization

はじめに こんにちは。全社データ技術局データビジュアライゼーションチームの與田龍人です。 モダンデー ...

Safari Technology Preview Release 244 is now available for download for macOS Tahoe and macOS Sequoia.

<p>We just <a href="https://datasette.io/blog/2026/datasette-agent/">announced the first release of Datasette Agent</a>, a new extensible AI assistant for Datasette. I've been working on my <a href="https://llm.datasette.io/">LLM</a> Python library for just over three years now, and Datasette Agent represents the moment that LLM and <a href="https://datasette.io/">Datasette</a> finally come together. I'm really excited about it!</p><p>Datase...

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-agent-sprites/releases/tag/0.1a0">datasette-agent-sprites 0.1a0</a></p> <p>A Datasette Agent plugin for running commands in a <a href="https://sprites.dev">Fly Sprites</a> sandbox.</p> <p>Tags: <a href="https://simonwillison.net/tags/sandboxing">sandboxing</a>, <a href="https://simonwillison.net/tags/datasette">datasette</a>, <...

Support for Web Serial in Firefox 151 for Desktop Firefox can now connect directly to microcontrollers, development boards, 3D printers, power meters, and other serial-connected hardware from the web. Starting in Firefox 151 for Desktop, support for the Web Serial API allows web applications to communicate with compatible devices without requiring native software. Web Serial […]The post Announcing Web Serial Support in Firefox appeared first on Mozilla Hacks - the Web developer blog.

Check out these 10 open source tools that help game developers create art, animation, levels, audio, dialogue, debug UIs, and engine-ready assets.The post Beyond the engine: 10 open source projects shaping how games actually get made appeared first on The GitHub Blog.

The new No-Vary-Search header can be used to tell browsers that a query string like ?product_id=7 means the content on that URL is unique based on the query parameter, so cache pages like that individually. But also that a query string like ?utm_source=frontendmasters does not have unique content, so don’t cache it individually. (As explained […]

Cloudflare now integrates with the Claude Compliance API, so that security teams can monitor Claude Enterprise activity directly in the Cloudflare Dashboard.

Explore our update on GitHub’s accessibility strategy, and learn how you can join us in building a culture of accessibility.The post Building GitHub’s next chapter in accessibility appeared first on The GitHub Blog.

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-agent-charts/releases/tag/0.1a2">datasette-agent-charts 0.1a2</a></p> <blockquote><ul><li>"View SQL query" buttons below rendered charts.</li></ul></blockquote> <p>Tags: <a href="https://simonwillison.net/tags/datasette">datasette</a>, <a href="https://simonwillison.net/tags/datasette-agent">datasette-agent</a></p&g...

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-agent/releases/tag/0.1a3">datasette-agent 0.1a3</a></p> <blockquote><ul><li>"View SQL query" buttons for both visible tables and collapsed SQL result tool calls.</li><li>Don't display empty reasoning chunks</li><li>Improved handling of truncated responses - table still displays to the user even if the SQL results were truncated when showing t...

Why we needed an agent firewall that speaks more than HTTP.

Learn how to write effective alternative text for images — and let CKEditor AI generate it for you. Covers WCAG guidelines, context-based best practices, and how to handle decorative, complex, and linked images.

Dev Machine Guard now scans IDE extensions across VS Code, Cursor, Windsurf, JetBrains IDEs, Android Studio, Eclipse, and Xcode on macOS, Windows, and Linux. Get a unified inventory, extension risk scoring, typosquat detection, and compromised extension visibility across your entire developer fleet.

Yarn Berry, pnpm, and npm all support surgical CVE remediation. Bun, today, doesn't. Here's what I found when I tried to apply my own workflow to a Bun project.

A quick note before we get into things: this is a practical guide that covers managing, building and packaging design system components. It’s impossible to go into thorough detail at every step of the way without this becoming a full course. Some basic knowledge is assumed:A basic working knowledge of HTML and CSSA basic grasp of web componentsA working installation of Node.js and npmAbility to navigate a terminal well enough to install some packagesBasic knowledge of config files and JSONGraspi

You can now access anomaly alerts and their details directly through the .Vercel CLIWith the command, you can list all alerts for a team or given project. For each alert, you can view the start time, the type of alert, and whether or not the alert is still active.vercel alertsWith the option, the AI investigation results appear alongside each alert. You and your agent can act on alerts without leaving the terminal.--aiAvailable on .Observability PlusLearn more about in the .vercel alertsCLI docu

Meet `sibling-index()` and `sibling-count()`. Staggered cascade effect in one line of CSS without `:nth-child()` rules or JS workarounds. Works for 5 items or 5,000.

A poisoned VS Code extension breached GitHub. A trojanized PyPI package hit Microsoft. Compromised GitHub Actions and a self-spreading npm worm targeted thousands more. In just 48 hours, attackers hit every layer of the software development pipeline. Traditional security tools did not stop any of it.

All the talks from Google I/O 2026 are now available on demand.

Recap of how to modernize authentication with passkeys, digital credentials, and more, based on the Google I/O 2026 session.

Qwen 3.7 Max from Alibaba is now available on . The model is designed as an agent foundation, with capabilities spanning coding, office workflow automation, and long-horizon autonomous execution.Vercel AI GatewayQwen 3.7 Max shows improvements in frontend prototyping and complex multi-file engineering. The model supports office and productivity tasks through multi-agent orchestration and sustains coherent reasoning across long-horizon tool-calling sessions.To use Qwen 3.7 Max, set model to in th

Orchestration Guildメンバーの福山です。普段はLINEレストランプラスというサービスで、フロントエンド開発を担当しています。この記事は、Orchestration Developme...

LINEヤフー株式会社では、技術に関するイベントや勉強会の主催・協賛などを行っています。最新情報は各リンク先でご確認ください。タイミングによっては、申し込み開始前や既に満席となっていることがあります。...

Un logiciel sur mesure. 5 000 € en 4 semaines, livré ou remboursé.

Full postmortem of the malicious Nx Console v18.95.0 published to Visual Studio Marketplace and Open VSX on 2026-05-18, originating from the TanStack npm supply-chain compromise that exfiltrated a contributor's gh CLI OAuth token seven days earlier.

A step-by-step guide to migrating homegrown SAML and OAuth/OIDC connections to WorkOS with zero customer downtime

What engineers and founders need to know about designing APIs, tools, and interfaces for agent-driven workflows

Google enforces exact-match redirect URIs with no wildcards and no exceptions. Here's how to handle that cleanly when every customer has their own domain.

Introducing auth.md — an open protocol that lets agents register for your service.

You can now configure weighted traffic splits for with the new command in the Vercel CLI. This allows you to send a percentage of traffic to one variant and the rest to another.Vercel Flagsvercel flags splitRun the command interactively, or pass the environment, bucketing attribute, and variant weights as flags:Update to the latest version of the and read the to get started.Vercel CLIdocumentationRead more

<blockquote cite="https://www.sec.gov/Archives/edgar/data/1181412/000162828026036936/spaceexplorationtechnologi.htm"><p>We have the ability to use compute resources to support our proprietary AI applications (such as Grok 5, which is currently being trained at COLOSSUS II), while also providing access to select compute capacity to third-party customers. For example, in May 2026, we entered into <strong>Cloud Services Agreements with Anthropic PBC</strong> (“Anthropic”), ...

If any impact is discovered, customers will be notified via established incident response and notification channels.The post Investigating unauthorized access to GitHub-owned repositories appeared first on The GitHub Blog.

<p><strong><a href="https://mikeveerman.github.io/tokenspeed/">How fast is 10 tokens per second really?</a></strong></p>Neat little HTML app by Mike Veerman (<a href="https://github.com/MikeVeerman/tokenspeed/blob/master/index.html">source code here</a>) which simulates LLM token output speeds from 5/second to 800/second.</p><p>Useful if you see a model advertised as "30 tokens/second" and want to get a feel for what that actually look...

Dev Machine Guard now supports Linux, giving security teams full visibility into Linux, macOS, and Windows developer machines. Detect AI coding agents, IDE extensions, MCP servers, npm and system packages, and compromised dependencies across your entire developer fleet from one dashboard.

Dev Machine Guard now supports Windows, giving security teams full visibility into Windows and macOS developer machines. Detect AI coding agents, IDE extensions, MCP servers, npm packages, and compromised dependencies across your developer fleet from a single dashboard.

Three malicious versions of Microsoft's official durabletask Python SDK were published to PyPI on May 19, 2026. The compromised package silently downloads and executes a 28 KB payload that steals credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations, then spreads laterally through cloud infrastructure. The payload skips systems with a Russian locale, a hallmark of Eastern European cybercrime operations. The attack has been linked to the TeamPC

Disabling asm.js optimizations in SpiderMonkey

A recap of the WorkOS Applied AI showcase: the team, the tools (WOW, Horizon, Case, Wallaby), and what we've learned shipping AI internally.

<p>It's hard to find much to write about Google I/O this year because I have a policy of not writing about anything that I can't try out myself, and a lot of the big announcements are "coming soon".</p><p>I actually prefer to write about things that are in general availability, because I've had instances in the past where the previews didn't match what was released to the general public later on.</p><p>Aside from <a href="https://simonwillison.net/2026/May/19/ge...

記事は ics.media へアクセスしてご覧ください。

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-agent-charts/releases/tag/0.1a1">datasette-agent-charts 0.1a1</a></p> <blockquote><ul><li>More color! Bar and waffle charts without a color column are shaded by magnitude with a sequential color scheme; color columns holding text values use the <code>observable10</code> categorical scheme. #2</li><li>Now checks <code>execute-sql</cod...

It still hits like a ton of bricks to see the steep decline in Stack Overflow questions. What does that mean about learning in our industry?Stack Overflow: When We Stop Asking originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

Good luck on non-Apple devices! You may want to try remote hardware or an online service. Or go refurbished and try to keep the cost down.

The release brings AI Chat improvements and experimental AI support for multi-root and multiple editor setups, along with several fixes and improvements.

NGINX is at the heart of a significant portion of the modern internet. Trusted at scale for more than two decades, it helps deliver the traffic for over one third of the internet today. NGINX is the quiet workhorse behind a huge slice of the traffic you served, fetched, and clicked through today. A project […]

Grok Build 0.1 is now available on .Vercel AI GatewayThis is a beta coding model trained for agentic coding, currently in early access, and powers the Grok Build CLI app. Reasoning effort is not configurable, and there is no non-reasoning mode.To use Grok Build 0.1, set model to in the .xai/grok-build-0.1AI SDKAI Gateway provides a unified API for calling models, tracking usage and cost, and configuring retries, failover, and performance optimizations for higher-than-provider uptime. It includes

こんにちは！PR TIMESの田中 湧大（@Romira915）です。普段はエンジニアとして、プレスリリース配信サービス PR TIMES の開発を行っています。 PR TIMES は Laravel […]

Coding agents like Codex are helping developers write, execute, and prepare code for production. Every action that AI coding agents take against a database, an API, or a deployment pipeline requires access to credentials. Today, these credentials typically live in .env files, scripts, or hardcoded in repositories, where they can be easily exfiltrated and are difficult to govern and audit. The shift from AI assistance to AI execution has outpaced how teams manage the secrets needed for execution.

There’s a question we get asked constantly, and it’s the right one to ask: “Can 1Password see the contents of my vault?”The answer is no, and it’s because of how we built the product, not just a promise we’re making. That’s an important distinction, because “we promise” has never been an acceptable answer in this industry. After all, promises get broken, and companies get compromised, acquired, and are under constant attack from threat actors. 1Password’s commitment to our security principles is

pnpm 11.2 ships an experimental opt-in into pacquet (the Rust port of pnpm) as the install backend, expands config dependencies to install one level of optionalDependencies (so the esbuild/swc platform-binary pattern works for config deps too), wires up the long-documented pnpm login --scope flag, and surfaces runtime entries (Node.js, Deno, Bun) in pnpm outdated and pnpm update --interactive.

Keycloak SCIM vs. WorkOS Directory Sync: A deep dive into features, gaps, and production readiness.

Humans, scripts, and AI agents are all calling your API. Here's how to give each of them secure, scoped credentials without building key management from scratch.

Stolen tokens should be worthless. Here's how to make them so.

Chat SDK now ships a built-in toolset through the new subpath. One call wires Chat SDK's read and write actions into your agent.AI SDKchat/aicreateChatTools(chat) and its supporting types have moved to . The previous re-exports are flagged .toAiMessageschat/aichat@deprecatedRead the to get started, or try one of our .documentationtemplatesRead morewrite tools are gated by a option.Approval by default: requireApproval, , and scope the toolset.Presets: readermessengermoderatoronly the tools your p

You can now read the parent issue or pull request when your bot is mentioned in a Linear or GitHub comment. resolves to that parent with title, status, URL, and the full typed payload.message.subject is cached per message, so repeated access only hits the API once. It resolves to on Slack and other chat platforms, where there's no parent resource.message.subjectnullThe GitHub, Linear, and Slack adapters now expose their underlying platform SDKs. Use them to extend your bot by calling provider AP

You can now pause a run on a Chat SDK card and resume it when someone clicks a button. The same flow works for form submissions. Buttons and modals accept a new prop, and the event payload is sent to that endpoint.WorkflowcallbackUrlTo build a card like this, create a and pass its URL to each button's prop inside your component:workflow webhookcallbackUrl<Card>For the component, the form data is in the payload. works for buttons on most platforms with an , and for modals on Slack and Teams...

The gives any WordPress site access to hundreds of models from 40+ providers through a single API key. Providers include Anthropic, Google, OpenAI, xAI, DeepSeek, MiniMax, Moonshot AI, and more.Vercel AI Gateway pluginThe plugin is implemented as a connector for the new , which requires WordPress 7.0, released today.WordPress AI ClientTo call AI Gateway directly from your own code:See the for more details, including examples for text, structured JSON output, image generation, and video.plugin do

<p><strong>Release:</strong> <a href="https://github.com/simonw/llm-gemini/releases/tag/0.32">llm-gemini 0.32</a></p> <blockquote><ul><li>New model <code>gemini-3.5-flash</code> for <a href="https://blog.google/innovation-and-ai/models-and-research/gemini-models/gemini-3-5/">Gemini 3.5 Flash</a>.</li></ul></blockquote><p>See also my <a href="https://simonwillison.net/2026/May/19/gemini-35-fl...

はじめに こんにちは。CyberAgent Dev PlatformでBucketeerのオーナーを ...

<p>Today at Google I/O, Google <a href="https://blog.google/innovation-and-ai/models-and-research/gemini-models/gemini-3-5/">released Gemini 3.5 Flash</a>. This one skipped the <code>-preview</code> modifier and went straight to general availability, and Google appear to be using it for a whole lot of their key products:</p><blockquote><p>3.5 Flash is available today to billions of people globally:</p><ul><li>For everyone via the...

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-llm-accountant/releases/tag/0.1a4">datasette-llm-accountant 0.1a4</a></p> <blockquote><ul><li>Fixed bug tracking chains of responses. Refs <a href="https://github.com/datasette/datasette-llm/issues/7">datasette-llm#7</a></li></ul></blockquote> <p>Tags: <a href="https://simonwillison.net/tags/datasette">datasette</a>, &...

<p><strong>Release:</strong> <a href="https://github.com/simonw/llm-gemini/releases/tag/0.32a0">llm-gemini 0.32a0</a></p> <blockquote><ul><li>Compatible with <code>llm>=0.32a0</code> alpha - adds the ability to stream reasoning tokens.</li></ul></blockquote> <p>Tags: <a href="https://simonwillison.net/tags/llm">llm</a>, <a href="https://simonwillison.net/tags/gemini">gemini</a&g...

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-llm/releases/tag/0.1a8">datasette-llm 0.1a8</a></p> <blockquote><ul><li>Fix for bug where <code>llm_prompt_context()</code> hook did not fully collect chains of responses. #7</li></ul></blockquote>

The now supports . Your agent tools can return interactive HTML responses that MCP clients like Claude and ChatGPT render inline, rather than plain-text responses.Nuxt MCP ToolkitMCP appsDeclare a tool with the macro, then read pre-hydrated data, trigger follow-up prompts, or call other tools from inside the UI with the composable. The toolkit bundles each Vue SFC into a self-contained HTML file at build time and serves it from your MCP endpoint.defineMcpAppuseMcpAppRead the to get started.Nuxt

Una Kravets: Creating non-standard shapes on the web, like a speech bubble or a heart have typically required you to cut off your actual borders with clip-path. […] This is where border-shape comes in. It’s a powerful upcoming CSS primitive that defines a custom shape for an element’s border. Welp, clip-path() had a good run. I’ll always be fond […]

Cloudflare has integrated with Anthropic's Claude Managed Agents to provide a fast, isolated execution environment for autonomous code delivery. This means builders can scale agent workflows globally while strictly controlling access to private backends and easily customizing their agent’s tools and runtimes.

Learn about the key announcements from Google I/O 2026.

Chrome DevTools for agents provides your coding agent with the visibility it needs to verify, debug, and optimize code in real time.

Learn about new out-of-order streaming capabilities and the renewed HTML insertion and streaming methods available for testing from Chrome 148

Learn about the HTML-in-Canvas origin trial in Chrome, and how it can help bring the DOM to your Canvas-driven applications.

Gemini 3.5 Flash is now available on .Vercel AI GatewayThis model has improved coding proficiency and parallel agentic execution loops versus previous Flash versions. It also brings improvements to core reasoning, instruction following, and multi-turn coherence, with stronger performance on complex tasks and higher-quality reasoning traces in thinking mode.3.5 Flash defaults to the thinking level, balancing response quality with faster, more cost-efficient generation.mediumTo use Gemini 3.5 Flas

A new wave of the Mini Shai-Hulud worm has compromised packages across Alibaba's AntV data visualization ecosystem, echarts-for-react, timeago.js, and dozens more. Stolen CI/CD secrets are being dumped to thousands of public GitHub repositories as the attack continues to spread.

The popular GitHub Action actions-cool/issues-helper has been compromised. Every existing tag in the repository has been moved to point to a single imposter commit that does not appear in the action's normal commit history. That commit contains malicious code that exfiltrates credentials from CI/CD pipelines that run the action.

Introducing Secure Registry by StepSecurity: install-time defense for the npm supply chain. Block malicious packages, enforce package cooldowns, and protect CI/CD pipelines, developer machines, and artifact managers from modern software supply chain attacks.

Active Supply Chain Attack: Malicious node-ipc Versions Published to npm StepSecurity has detected multiple malicious releases of the popular node-ipc npm package. Three versions are currently known to be compromised, containing an obfuscated payload designed to steal cloud credentials, SSH keys, and CI/CD secrets. Our team is actively analyzing the attack, and this post will be updated as our investigation progresses

こんにちは、iOSエンジニアのyamakenです。2026年4月12日（日）から14日（火）の3日間にわたり開催された、try! Swift Tokyo 2026に、LINEヤフー株式会社はGOLDス...

<p>I put together these annotated slides from my five minute lightning talk at PyCon US 2026, using the <a href="https://tools.simonwillison.net/annotated-presentations">latest iteration</a> of my <a href="https://simonwillison.net/2023/Aug/6/annotated-presentations/">annotated presentation tool</a>.</p><div class="slide" id="5-minutes-llms.001.jpeg"> <img loading="lazy" src="https://static.simonwillison.net/static/2026/5-minutes-llms/5-minutes-llms....

AI-assisted code generation is not free. It comes with a hidden cost: burnout. Are we dangerously ignorant to this problem? And how can we cope with it? In this post, we discuss this question.

Zero-Shot Learning is a podcast for AI builders, hosted by Nancy Wang, Chief Technology Officer at 1Password, and Dev Tagare, Senior Director and Head of Engineering for Gemini Enterprise & Business at Google. Together, they’ve built and scaled AI systems at the infrastructure and product layers and bring a builder's perspective to every conversation.The name, zero-shot learning, is an AI concept about applying existing knowledge to new tasks without specific training. For this show, it’s al...

Design system work follows a well-defined loop: read the ticket, check the Figma spec, find the right component primitives, apply the right tokens, write the Storybook stories, run the tests, open the PR. The steps are consistent enough that when we looked at our design system backlog, we didn't just see a list of tasks; we saw a set of instructions waiting to be executed.So we set an agent loose on the loop. At first, it was a semi-hot mess. But then we gave it the right context, and boom, it h

Val Town is the Salt Fat Acid Heat of vibe coding platforms

Webpack 5.107

How SSO eliminates the manual work of enterprise user onboarding.

What happens to a user's session when they switch organizations, how to scope tokens to prevent cross-tenant leaks, and where most implementations still go wrong.

I tried to reverse-engineer how SSO works from three angles: as the employee logging in, the IT admin managing access, and the developer who needs to support it. Here is what I learned.

Flat Rate CDN is now available in Limited Beta for Pro teams. It replaces usage-based CDN pricing with a fixed monthly fee.Viral posts, unfiltered bots, or misconfigured routes can turn a normal month into a surprise bill. Flat Rate CDN makes your cost predictable.Flat Rate CDN is a good fit for teams with unpredictable CDN bills, individual builders who don't want a usage spike to break the bank, and growing businesses that need to know their CDN costs before the month starts.Pro teams can join

You can now run with .Claude Managed AgentsVercel SandboxClaude Managed Agents handles the model, harness, tools, and session state. Self-hosting lets you bring the execution environment, so an agent's tool calls run on your existing Vercel infrastructure with your private APIs, internal services, and customer data.Each agent session runs in its own isolated Firecracker microVM, using the same infrastructure that powers 1B+ Vercel deployments with enterprise-grade security, availability, and per

Monorepos can now opt in to a single, consolidated commit status on pull requests instead of one commit status per project. For repos with many projects, teams can configure GitHub branch protection once, then manage which Vercel projects are required for merge in each project’s settings. Read more about and and enable Consolidated Commit Status from your .Github Commit statusesproject settingsRead more

Automatic setup with agents, review filters, TanStack React, and more

Vercel Firewall now waives CDN Requests and Fast Data Transfer for any traffic denied, challenged, or rate‑limited by Web Application Firewall (WAF). Vercel has always provided unlimited DDoS mitigation at no cost. Vercel WAF, included in CDN cost, gives you custom rules, managed rules, and rate limiting for bad traffic that isn't DDoS. With this change, you don't pay for requests or bandwidth that WAF denies, challenges, or rate‑limits. That means no surprise bill when a scraper hammers your pr

Kick off work in VS Code or the CLI, finish it from your phone. Remote control for GitHub Copilot sessions is now generally available on github.com and GitHub Mobile. The post Take your local GitHub sessions anywhere appeared first on The GitHub Blog.

<p><img src="https://static.inaturalist.org/photos/662161673/large.jpg" alt="Glaucous-winged Gull"></p><p><img src="https://static.inaturalist.org/photos/662161721/large.jpg" alt="Glaucous-winged Gull"></p><p><img src="https://static.inaturalist.org/photos/662161937/large.jpg" alt="Brown Pelican"></p><p><img src="https://static.inaturalist.org/photos/662161148/large.jpg" alt="Snowy Egret"></p><p><img src="https://s...

RSCs in TanStack Start are server-only executed code — perhaps a significant improvement over the Next.js implementation.

This is Part 1 of a two-part series about cross-document view transitions, going over all the gotchas, from ditching the deprecated way to opt into them to a little-known 4-second timeout.Cross-Document View Transitions: The Gotchas Nobody Mentions originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

Inside Claude Day at WorkOS: 39 teams, a one-day hackathon, and one rule — the non-engineer drives. Here's what we built and what we learned.

Hermes Agent は v0.14.0 で xAI の Grok モデルとの統合できるようになりました。Grok モデルは X（旧 Twitter）の投稿を検索できる `x_search` ツールを使えることが特徴で、リアルタイムでトレンドを把握したり、最新の情報を取得できることが強みとなっています。この記事では Hermes Agent と Grok の統合を試してみた様子を紹介します。

In recent weeks, we pointed Mythos and other security-focused LLMs at live code across critical parts of our infrastructure. We share what we observed, the models’ strengths and weaknesses, and what the work around them needs to look like before any of it can scale.

こんにちは、フルタイムで Ruby の開発をしている遠藤（@mametter）です。 Spinel で Optcarrot を走らせることができた！？ので、その結果をご報告します。 Spinel とは 先日の RubyKaigi 2026 では、Ruby の AOT コンパイラである Spinel が発表されました。 Spinel は抽象解釈に基づいて Ruby コードの型を推定し、それに最適化した表現で Ruby コードを C 言語コードに変換します。 Matz 自ら作っていること、全面的に AI に作らせていることなどが話題です。 Spinel は TypeProf に着想を得て作られてい…

Coding Agentと業務ツールを連携した業務改善は、開発現場では当たり前になりつつあります。しかし、その恩恵は本当に組織全体に広がっているでしょうか。「一度触ればすごさはすぐ伝わる。ただ、その一...