If we give a `container-name` to the root of all our unique components, we can scope styles to them with a simple @container query.

Cascade layers, specificity tricks, smarter ordering, and even some clever selector hacks can often replace !important with something cleaner, more predictable, and far less embarrassing to explain to your future self.Alternatives to the !important Keyword originally published on CSS-Tricks, which is part of the DigitalOcean family. You should get the newsletter.

Designing for agentic AI requires attention to both the system’s behavior and the transparency of its actions. Between the black box and the data dump lies a more thoughtful approach. Victor Yocco explores how to map decision points and reveal the right moments to build trust through clarity, not noise.

こんにちは。ソフトウェアエンジニアの眞井です。私はこれまでアーキテクトとして、検索連動型ショッピング広告のレポートシステムに関連する2つの新規システム開発や、その他数多くの機能追加に携わってきました。...

プロダクトマネージャやデザイナもAIでプルリクエストを作成できるプロセスを作ろう こんにちは。息子と『ドラベース』を読みはじめた daipresents です。トンボール投げたい！ カミナシでは「カミナシ 教育」と「カミナシ 従業員」のマネージャを担当しております。 前回、月1回のオンサイトにおける取り組みを紹介させていただきました。 参考： エンジニアじゃない人でもAIを使えば開発貢献できるんじゃないの？イベントを開催してみた こちらについては、プロダクトマネージャやプロダクトデザイナの評価はとても高く、「もっとやりたい！」、「リリースしたい！」と、みんな開発に対する意気込みを表明してくれま…

In the early hours of April 7th, nearly 100 Magento stores got mass-infected with a "double-tap" skimmer: a credit card stealer hidden inside an invisible SVG element. Sansec found stolen...

A 2026 guide to the leading IAM solutions for SaaS teams, with a breakdown of features, pricing, and trade-offs to help you choose the right provider and start closing enterprise deals faster.

Your users enable multi-factor authentication, use strong passwords, and follow every security best practice you recommend. But none of it matters if an attacker is sitting between them and your login page, relaying traffic in real time and walking away with a valid session cookie.

Discover how Rubber Duck provides a different perspective to GitHub Copilot CLI. The post GitHub Copilot CLI combines model families for a second opinion appeared first on The GitHub Blog.

Cloudflare Organizations is now in public beta, introducing a new management layer for enterprise customers with multiple accounts. Learn how we consolidated our authorization systems to enable org-wide management.

StepSecurity's AI Package Analyst and Harden-Runner detected the compromise of axios, the largest npm supply chain attack on a single package by download count, before any public disclosure existed. What followed was a race against a state-sponsored threat actor who actively deleted GitHub issues to suppress the warning, a decision to host a community call at midnight that drew 200 attendees, and coverage from Bloomberg to Andrej Karpathy

How does AI actually remember things between messages, and why does it forget halfway through? I ran a few experiments on Claude Sonnet and GPT-5 and wrote down what I saw.

Chrome 145 introduces the column-height and column-wrap properties, enabling us to wrap the additional content into a new row below, creating a vertical scroll instead of a horizontal scroll.Looking at New CSS Multi-Column Layout Wrapping Features originally published on CSS-Tricks, which is part of the DigitalOcean family. You should get the newsletter.

We can make puzzle pieces in CSS thanks to the amazing clip-path: shape(). Here, Amit takes it further by making a whole grid of them with matched edges and content inside.

目次 はじめに 課題と前提 Weighted Backend Service によるルーティング制御 ...

<p><strong><a href="https://apps.apple.com/nl/app/google-ai-edge-gallery/id6749645337">Google AI Edge Gallery</a></strong></p>Terrible name, really great app: this is Google's official app for running their Gemma 4 models (the E2B and E4B sizes, plus some members of the Gemma 3 family) directly on your iPhone.</p><p>It works <em>really</em> well. The E2B model is a 2.54GB download and is both fast and genuinely useful.</p><p&g...

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-ports/releases/tag/0.2">datasette-ports 0.2</a></p> <blockquote><ul><li>No longer requires Datasette - running <code>uvx datasette-ports</code> now works as well.</li><li>Installing it as a Datasette plugin continues to provide the <code>datasette ports</code> command.</li></ul></blockquote> <p>Tags: <a ...

<p><strong>Release:</strong> <a href="https://github.com/simonw/scan-for-secrets/releases/tag/0.3">scan-for-secrets 0.3</a></p> <blockquote><ul><li>New <code>-r/--redact</code> option which shows the list of matches, asks for confirmation and then replaces every match with <code>REDACTED</code>, taking escaping rules into account.</li><li>New Python function <code>redact_file(file_path: str | Path, s...

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/cleanup-claude-code-paste">Cleanup Claude Code Paste</a></p> <p>Super-niche tool this. I sometimes copy prompts out of the Claude Code terminal app and they come out with a bunch of weird additional whitespace. This tool cleans that up.</p><p><img alt="Screenshot of a web tool titled "Cleanup Claude Code Paste" with the subtitle "Paste terminal o...

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-ports/releases/tag/0.1">datasette-ports 0.1</a></p> <p>Another <a href="https://gisthost.github.io/?f92d8a6bdadee1c77972b5e51954144e">example</a> of README-driven development, this time solving a problem that might be unique to me.</p><p>I often find myself running a bunch of different <a href="https://datasette.io">Datasette</a> instances wi...

Learn what's new in the world of slow tests and how TestProf continues to help Rails teams to keep CI build times under control.

From forged assertions to memory leaks, SAML's XML foundations keep producing serious bugs. Here's what happened and what you should be doing about it.

Most AI agents run with borrowed sessions and far more access than they need. Here's how to replace that with scoped, revocable credentials and tool-level authorization.

<p><strong><a href="https://lalitm.com/post/building-syntaqlite-ai/">Eight years of wanting, three months of building with AI</a></strong></p>Lalit Maganti provides one of my favorite pieces of long-form writing on agentic engineering I've seen in ages.</p><p>They spent eight years thinking about and then three months building <a href="https://github.com/lalitMaganti/syntaqlite">syntaqlite</a>, which they describe as "<a href="https...

AIがコードを書く時代、QAはどう変わるべきか？ Claude Code、Devin、Cursorと ...

<blockquote cite="https://twitter.com/cpmou2022/status/2040606209800290404"><p>From anonymized U.S. ChatGPT data, we are seeing:</p><ul><li>~2M weekly messages on health insurance</li><li>~600K weekly messages [classified as healthcare] from people living in “hospital deserts” (30 min drive to nearest hospital)</li><li>7 out of 10 msgs happen outside clinic hours</li></ul></blockquote><p class="cite">— <a...

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/syntaqlite">Syntaqlite Playground</a></p> <p>Lalit Maganti's <a href="https://github.com/LalitMaganti/syntaqlite">syntaqlite</a> is currently being discussed <a href="https://news.ycombinator.com/item?id=47648828">on Hacker News</a> thanks to <a href="https://lalitm.com/post/building-syntaqlite-ai/">Eight years of wanting, three months of building with AI&lt...

<p><strong>Release:</strong> <a href="https://github.com/simonw/scan-for-secrets/releases/tag/0.2">scan-for-secrets 0.2</a></p> <ul><li>CLI tool now streams results as they are found rather than waiting until the end, which is better for large directories.</li><li><code>-d/--directory</code> option can now be used multiple times to scan multiple directories.</li><li>New <code>-f/--file</code> option ...

<p><strong>Release:</strong> <a href="https://github.com/simonw/scan-for-secrets/releases/tag/0.1.1">scan-for-secrets 0.1.1</a></p> <blockquote><ul><li>Added documentation of the escaping schemes that are also scanned.</li><li>Removed unnecessary <code>repr</code> escaping scheme, which was already covered by <code>json</code>.</li></ul></blockquote>

<p><strong>Release:</strong> <a href="https://github.com/simonw/scan-for-secrets/releases/tag/0.1">scan-for-secrets 0.1</a></p> <p>I like publishing transcripts of local Claude Code sessions using my <a href="https://github.com/simonw/claude-code-transcripts">claude-code-transcripts</a> tool but I'm often paranoid that one of my API keys or similar secrets might inadvertently be revealed in the detailed log files.</p><p>I built t...

コーディングエージェントの自動承認の範囲をどこまで許可するかは、ユーザー体験とセキュリティのバランスを取る上で重要な設計指針の1つです。Codex ではサンドボックス機能を提供することで、エージェントが安全に自律的に動作できる環境を実現しています。この記事では、Codex のサンドボックスの仕組みと、サンドボックス外でコマンドを実行する際の承認プロセスについて説明します。

<p><strong>Release:</strong> <a href="https://github.com/simonw/research-llm-apis/releases/tag/2026-04-04">research-llm-apis 2026-04-04</a></p> <p>I'm working on a <a href="https://github.com/simonw/llm/issues/1314">major change</a> to my LLM Python library and CLI tool. LLM provides an abstraction layer over hundreds of different LLMs from dozens of different vendors thanks to its plugin system, and some of those vendors have grown new feat...

スケルトンローダーは、コンテンツが読み込まれる前に表示されるプレースホルダーで、ユーザーに対して読み込み中であることを視覚的に示すためのものです。Boneyard はスケルトンローダーの手動の計測と更新の手間を解消するためのフレームワークです。この記事では、Boneyard を使用してスケルトンローダーを簡単に実装する方法について説明します。

<blockquote cite="https://twitter.com/kdaigle/status/2040164759836778878"><p>[GitHub] platform activity is surging. There were 1 billion commits in 2025. Now, it's 275 million per week, on pace for 14 billion this year if growth remains linear (spoiler: it won't.)</p><p>GitHub Actions has grown from 500M minutes/week in 2023 to 1B minutes/week in 2025, and now 2.1B minutes so far this week.</p></blockquote><p class="cite">— <a href="https:/...

<p><strong><a href="https://sockpuppet.org/blog/2026/03/30/vulnerability-research-is-cooked/">Vulnerability Research Is Cooked</a></strong></p>Thomas Ptacek's take on the sudden and enormous impact the latest frontier models are having on the field of vulnerability research.</p><blockquote><p>Within the next few months, coding agents will drastically alter both the practice and the economics of exploit development. Frontier model improvement...

<p>A fun thing about <a href="https://simonwillison.net/2026/Apr/2/lennys-podcast/">recording a podcast</a> with a professional like Lenny Rachitsky is that his team know how to slice the resulting video up into TikTok-sized short form vertical videos. Here's <a href="https://x.com/lennysan/status/2039845666680176703">one he shared on Twitter today</a> which ended up attracting over 1.1m views!</p><p><video src="https://static.simonwillison.net/stati...

<blockquote cite="https://lwn.net/Articles/1065620/"><p>On the kernel security list we've seen a huge bump of reports. We were between 2 and 3 per week maybe two years ago, then reached probably 10 a week over the last year with the only difference being only AI slop, and now since the beginning of the year we're around 5-10 per day depending on the days (fridays and tuesdays seem the worst). Now most of these reports are correct, to the point that we had to bring in more maintainer...

<blockquote cite="https://mastodon.social/@bagder/116336957584445742"><p>The challenge with AI in open source security has transitioned from an AI slop tsunami into more of a ... plain security report tsunami. Less slop but lots of reports. Many of them really good.</p><p>I'm spending hours per day on this now. It's intense.</p></blockquote><p class="cite">— <a href="https://mastodon.social/@bagder/116336957584445742">Daniel Stenberg<...

<blockquote cite="https://www.theregister.com/2026/03/26/greg_kroahhartman_ai_kernel/"><p>Months ago, we were getting what we called 'AI slop,' AI-generated security reports that were obviously wrong or low quality. It was kind of funny. It didn't really worry us.</p><p>Something happened a month ago, and the world switched. Now we have real reports. All open source projects have real reports that are made with AI, but they're good, and they're real.</p></blockq...

Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.

デフォルトの `workspace-write` サンドボックスではネットワークアクセスは無効です。外部通信を許可したい場合は、`config.toml` で明示的に有効にします。

<p><strong>Research:</strong> <a href="https://github.com/simonw/research/tree/main/test-csp-iframe-escape#readme">Can JavaScript Escape a CSP Meta Tag Inside an Iframe?</a></p> <p>In trying to build my own version of Claude Artifacts I got curious about options for applying CSP headers to content in sandboxed iframes without using a separate domain to host the files. Turns out you can inject <code><meta http-equiv="Content-Security-Policy"...

The path to better performance is often found in simplicity.The post The uphill climb of making diff lines performant appeared first on The GitHub Blog.

コーディングエージェントに多く承認を求められると、本当に確認が必要なコマンドの実行を見落とす確率が高まります。Codex には `smart_approvals` という設定があります。これは承認が必要になったとき、その一部をそのままユーザーに投げるのではなく、まず `guardian reviewer` というサブエージェント経由で扱うための実験的な機能です。

Codex では `hooks` を使って、特定のタイミングで任意のコマンドを実行できます。例えば応答が終わるたびに通知したい場合は `Stop hook` を使います。

<p>The Axios team have published a <a href="https://github.com/axios/axios/issues/10636">full postmortem</a> on the supply chain attack which resulted in a malware dependency going out <a href="https://simonwillison.net/2026/Mar/31/supply-chain-attack-on-axios/">in a release the other day</a>, and it involved a sophisticated social engineering campaign targeting one of their maintainers directly. Here's Jason Saayman'a description of <a href="https://github.com/...

ElenaA very handy looking, tiny progressive web components library.The last quiet thingA beautifully composed piece that should serve as a nice reminder to you of both how much "smart" software/devices dominate your time and also how it's not your fault!Font metrics calculator for font-size-adjustDoes exactly what it says on the tin!There’s no need to include ‘navigation’ in your navigation labelsA bit like how you should avoid prefixing alt text with "an image", prefixing/suffixing <nav> ...

TeamPCP weaponized 76 Trivy version tags overnight. The KICS attack followed the same playbook days later. One security control is not enough. Here is how the StepSecurity platform's ten independent security layers work together to prevent credential exfiltration, detect compromised actions at runtime, and respond to incidents across your entire organization before attackers can succeed.

An overview of what's new in language features, frameworks, runtimes, build tools, testing, and more.

HighlightsLanguage-aware rulesESLint v10.2.0 adds support for language-aware rules through the new meta.languages property. Rule authors can now explicitly declare which languages a rule supports, and ESLint will throw a runtime error if that rule is enabled for an unsupported language, as specified by the language configuration option.Here is an example of a rule that only supports the JavaScript language:const rule = { meta: { type: "problem", docs: { description: "Example JavaScript rule", },

Master secure authentication in Laravel from Breeze and Sanctum to enterprise SSO, with production-ready patterns and security best practices.

<p>I was a guest on Lenny Rachitsky's podcast, in a new episode titled <a href="https://www.lennysnewsletter.com/p/an-ai-state-of-the-union">An AI state of the union: We've passed the inflection point, dark factories are coming, and automation timelines</a>. It's available on <a href="https://youtu.be/wc8FBhQtdsA">YouTube</a>, <a href="https://open.spotify.com/episode/0DVjwLT6wgtscdB78Qf1BQ">Spotify</a>, and <a href="https://podcasts.apple.com/us/pod...

In my work with View Transitions over the last several years, I’ve published everything from deep-dive articles, demos, and announcement videos at Google I/O. I’ve also done some more experimental things with it, such as optimizing the keyframes or driving a View Transition by scroll.To turn the lessons from these scattered experiments into something more reusable for both you and me, I’ve bundled the most frequent code patterns into a dedicated package: view-transitions-toolkit.

<p><strong><a href="https://blog.google/innovation-and-ai/technology/developers-tools/gemma-4/">Gemma 4: Byte for byte, the most capable open models</a></strong></p>Four new vision-capable Apache 2.0 licensed reasoning LLMs from Google DeepMind, sized at 2B, 4B, 31B, plus a 26B-A4B Mixture-of-Experts.</p><p>Google emphasize "unprecedented level of intelligence-per-parameter", providing yet more evidence that creating small useful models is one of ...

<p><strong>Release:</strong> <a href="https://github.com/simonw/llm-gemini/releases/tag/0.30">llm-gemini 0.30</a></p> <p>New models <code>gemini-3.1-flash-lite-preview</code>, <code>gemma-4-26b-a4b-it</code> and <code>gemma-4-31b-it</code>. See <a href="https://simonwillison.net/2026/Apr/2/gemma-4/">my notes on Gemma 4</a>.</p> <p>Tags: <a href="https://simonwillison.net/tags/gemini">gemi...

Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.

v2.1.85 で、Claude Code の hooks で if フィールドを指定できるようになりました。if フィールドには、フックが呼び出される条件を指定できます。条件に一致しない場合はプロセス自体が起動しないため、オーバーヘッド削減にもなります。

Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.

Creating rectangles, circles, and rounded rectangles is the basic of CSS. Creating more complex CSS shapes such as triangles, hexagons, stars, hearts, etc. is more challenging but still a simple task if we rely on modern features.Making Complex CSS Shapes Using shape() originally published on CSS-Tricks, which is part of the DigitalOcean family. You should get the newsletter.

Installation methods transition is now complete, table capabilities significantly expanded, CKEditor AI improved, Export to PDF defaults to v2, and more.

The explosion of AI-bot traffic, representing over 10 billion requests per week, has opened up new challenges and opportunities for cache design. We look at some of the ways AI bot traffic differs from humans, how this impacts CDN cache, and some early ideas for how Cloudflare is designing systems to improve the AI and human experience.

News of RSS' death following the demise of Google Reader has been greatly exaggerated. RSS is alive, well, and as omnipresent as ever. You aren't properly publishing content on the web if you aren't also publishing in syndication formats.This is a general guide designed to help you understand, build, and distribute various formats of web feeds, even if you've never touched them before. We're not going to run through all the uses and details of syndication feeds, because they've been covered ad n

CSS containment lets you isolate layout and paint work to self-contained ‘islands’. Here’s what each contain value does and how to use it safely.

difit はローカルの git 差分を GitHub スタイルのインターフェースで確認できる CLI ツールです。difit-review スキルを使用することでエージェントがコードの変更点にコメントを残した状態で difit を起動できます。この記事では、difit-review スキルを使用してエージェント自身にコードの変更点をコメントしてもらう方法を紹介します。

Supabase hits 100,000 GitHub stars. A reflection on community, open source, and what got us here.

Hijacked maintainer account used to publish poisoned axios releases including 1.14.1 and 0.30.4. The attacker injected a hidden dependency that drops a cross platform RAT. We are actively investigating and will update this post with a full technical analysis.

A supply chain attack targeting Solidity and Web3 developers has been discovered across three IoliteLabs VSCode extensions (solidity-macos, solidity-windows, and solidity-linux) embedding obfuscated backdoors that download remote payloads and establish persistence on all major platforms. StepSecurity is actively investigating this incident and will publish a full technical analysis with IOCs and remediation guidance shortly.

On March 27, 2026, TeamPCP injected a WAV steganography-based credential stealer into two releases of the telnyx Python SDK on PyPI. The issue was disclosed in team-telnyx/telnyx-python#235. TeamPCP is the same group behind the litellm supply chain compromise three days earlier, identified by a shared RSA-4096 public key, identical encryption scheme, and the tpcp.tar.gz exfiltration signature present in both attacks.

<p>I just sent the March edition of my <a href="https://github.com/sponsors/simonw/">sponsors-only monthly newsletter</a>. If you are a sponsor (or if you start a sponsorship now) you can <a href="https://github.com/simonw-private/monthly/blob/main/2026-03-march.md">access it here</a>. In this month's newsletter:</p><ul><li>More agentic engineering patterns</li><li>Streaming experts with MoE models on a Mac</li><li>Model re...

はじめに こんにちは！PR TIMES第二開発部の加来安東です。 本記事では、AWS CloudTrail の監査ログを Google Cloud（BigQuery）上で分析できるように整備した事例についてご紹介します。 […]

Better Townie system prompt, std/oauth, migrating from Clerk to BetterAuth, Deno 2.7.5, and more

To support enterprise workflows like monitoring systems, triaging support tickets, and automating routine work, AI agents need access to the same sensitive systems employees use, including databases, APIs, SaaS tools, and internal infrastructure. However, many of these systems still rely on shared passwords, API keys, tokens, and other credential-based access paths that are difficult to manage and control. As organizations put agents to work for new use cases and in new environments, IT and secu

Most organizations already have the policies they need in place. The problem is enforcement.Employees must complete security awareness training, contractors must acknowledge updated agreements, and teams must meet compliance requirements. But the systems that track these requirements rarely connect to the systems that control user and device access. As a result, access is granted even when required conditions haven’t been met.That’s why we're excited to announce that 1Password Device Trust can n

API keys, token files, OAuth Device Flow, and Client Credentials compared. A practical guide to choosing the right authentication pattern for your CLI.

How FIDO2 and passkeys use cryptographic domain binding to stop phishing attacks, why SMS and push notification fallbacks destroy your security posture, and what to do about it.

MFA still blocks most automated attacks. But the new generation of AI-powered phishing tools does not send automated attacks. It runs real-time, human-speed session hijacking that MFA was never designed to stop.

AIと不安で眠れない夜。 あ〜〜〜〜〜今日もTwitterのタイムラインはAI、Claude、OpenClaw、エーアイ、Codex、Gemini、ハーネスの話題で持ち切りだわ。なんだよハーネスって。自意識過剰なホモサピエンスがAI様をコントロールできると考えているのか！？奴らの成長速度を考えたら、数年以内に制御できる範囲なんてとっくに飛び出して二足歩行でコンビニ行ってオハヨーのブリュレアイス買って食っとるわ。あれうますぎだろ。 あ〜〜〜〜〜わかってるよ。Twitter呼びは時代遅れだって？そのツッコミも飽きたわ！俺は死ぬまでTwitterって言うからいちいち気にしないでくれ！ ジュニアやミド…

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-llm/releases/tag/0.1a6">datasette-llm 0.1a6</a></p> <blockquote><ul><li>The same model ID no longer needs to be repeated in both the default model and allowed models lists - setting it as a default model automatically adds it to the allowed models list. <a href="https://github.com/datasette/datasette-llm/issues/6">#6</a></li><li>Improved docu...

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-enrichments-llm/releases/tag/0.2a1">datasette-enrichments-llm 0.2a1</a></p> <blockquote><ul><li>The <code>actor</code> who triggers an enrichment is now passed to the <code>llm.mode(... actor=actor)</code> method. <a href="https://github.com/datasette/datasette-enrichments-llm/issues/3">#3</a></li></ul></blockquote&...

The Axios compromise shows how time-dependent dependency resolution makes exposure harder to detect and contain.

Recent attacks on open source focus on exfiltrating secrets; here are the prevention steps you can take today, plus a look at the security capabilities GitHub is working on.The post Securing the open source supply chain across GitHub appeared first on The GitHub Blog.

/fleet lets Copilot CLI dispatch multiple agents in parallel. Learn how to write prompts that split work across files, declare dependencies, and avoid common pitfalls.The post Run multiple agents at once with /fleet in Copilot CLI appeared first on The GitHub Blog.

記事は ics.media へアクセスしてご覧ください。

These are the historical pranks I consider the top 10 most noteworthy, rather than the “best.” You’ll see that some of them crossed the line and/or backfired.Front-End Fools: Top 10 April Fools’ UI Pranks of All Time originally published on CSS-Tricks, which is part of the DigitalOcean family. You should get the newsletter.

NGINX Gateway Fabric 2.5.0 is here, and this one is a big deal. The release doubles down on enterprise-grade capabilities while keeping us at the forefront of Gateway API conformance. NGF remains one of the top conformant implementations of the Gateway API spec, and this release reinforces why. Here’s what’s new. Gateway API 1.5 Conformance […]

A deep sniff of the new CSS Olfactive API, a set of proposed features for immersive user experiences using smell.Sniffing Out the CSS Olfactive API originally published on CSS-Tricks, which is part of the DigitalOcean family. You should get the newsletter.

Eight years ago, we launched 1.1.1.1 to build a faster, more private Internet. Today, we’re sharing the results of our latest independent examination. The result: our privacy protections are working exactly as promised.

Today we are launching the beta of EmDash, a full-stack serverless JavaScript CMS built on Astro 6.0. It combines the features of a traditional CMS with modern security, running plugins in sandboxed Worker isolates.

DockerfileやComposeファイルのイメージ参照に@sha256:<digest>を自動で追加するCLIツール dockerfile-pin を作りました。GitHub: azu/dockerfile-pinなぜ作ったかtrivyへのサプライチェーン攻撃などの事件を見ていると、次に狙われるのはDocker Hubかなと思ったのがきっかけです。CIでDocker Hubへのpushをしているケースは多いので、そこに悪意あるコードが混入する事件は今後も起きるだろうと思っています。Dockerイメージのタグ（例：node:20）はデフォルトで可変（mutable）です。同じタグ名で中身を上書きできるため、悪意ある第三者がレジストリへのアクセスを得た場合、既存タグに対して改竄されたイメージをpushできます。Can a Docker Hub tag have its content changed? - Docker Community ForumsDocker Hubなどのレジストリは安全とは限りません。npmのようにトークンの制限が厳しくなっていたり、デフォルトでタグ...

Design principles with references, examples, and methods for quick look-up. Brought to you by Design Patterns For AI Interfaces, **friendly video courses on UX** and design patterns by Vitaly.

デザインデータ（Figma）v2.11.1を公開しました。

テキストエリアに文字数カウンターを追加。プログレスインジケーターを新規追加。

本ウェブサイトのソースコードの可読性を向上しました。

We’re excited to announce that RSS feed support for blog.jetbrains.com and all JetBrains product blogs is now generally available. After months of development and rigorous testing across 47 RSS readers on 6 platforms, we’re proud to deliver a reliable, standards-compliant way for you to read JetBrains content in the environment of your choice. What You […]

Browse Supabase docs with grep, find, and cat.

株式会社はてなに入社しました 株式会社はてなに入社しました - hitode909の日記

Claude Code のスキルが数十個に増えてきたのですが、全員に一律で適用されるのがつらくなってきたので、Plugin Marketplace を使ってオプトイン配布に移行しました。 スキルが増えると何が起きるか Claude Code のスキルは .claude/skills/ に配置すると、リポジトリを開いた全員に適用されます。数個なら問題ないのですが、数十個に増えてくるとスキルの description マッチングで意図しないスキルまで発火するようになってきました。QA 向けのスキルがバックエンドエンジニアの作業中に反応したり、フロントエンド向けのスキルがインフラの作業で発火したりと…

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-extract/releases/tag/0.3a0">datasette-extract 0.3a0</a></p> <ul><li>Now uses <a href="https://github.com/datasette/datasette-llm">datasette-llm</a> to manage model configuration, which means you can control which models are available for extraction tasks using the <code>extract</code> purpose and <a href="https://github.com/datasette/datasette-l...

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-enrichments-llm/releases/tag/0.2a0">datasette-enrichments-llm 0.2a0</a></p> <blockquote><ul><li>This plugin now uses <a href="https://github.com/datasette/datasette-llm">datasette-llm</a> to configure and manage models. This means it's possible to <a href="https://github.com/datasette/datasette-enrichments-llm/blob/0.2a0/README.md#configuration">sp...

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-llm-usage/releases/tag/0.2a0">datasette-llm-usage 0.2a0</a></p> <blockquote><ul><li>Removed features relating to allowances and estimated pricing. These are now the domain of <a href="https://github.com/datasette/datasette-llm-accountant">datasette-llm-accountant</a>.</li><li>Now depends on <a href="https://github.com/datasette/datasette-l...

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-llm/releases/tag/0.1a5">datasette-llm 0.1a5</a></p> <blockquote><ul><li>The <code>llm_prompt_context()</code> plugin hook wrapper mechanism now tracks prompts executed within a chain as well as one-off prompts, which means it can be used to track tool call loops. <a href="https://github.com/datasette/datasette-llm">#5</a></li></ul&gt...

こんにちは。LINEヤフー株式会社で認証・認可基盤Athenzの開発・運用を担当している金 廷祐（Kim, Jeongwoo）です。この記事では、AIエージェントがさまざまなサービスと連携する際のトー...

We analyzed 1,140 early-stage funding rounds in developer tools, cybersecurity, and infrastructure from January 2025 through March 2026. Here are the top VCs and investors writing checks, the metrics that got companies funded, and the exact person to email based on what you're building.

React Admin is a great framework to build admin interfaces. However we can do better, we can do simpler, we can do faster. How? By leveraging the power of old and robust technology: COBOL.

This month, a new best practices guide was added to the Svelte docs. Check it out, if you haven't already!On the code side, the Svelte MCP got even easier to use with improvements to the official OpenCode package. Combined with the improvements to svelte.config.js, server-side error boundaries in SvelteKit and better types all around, this month is full of great improvements!As always, there's plenty in the showcase too!What's new in Svelte and SvelteKitMCP: Svelte's OpenCode config can now be f

A hijacked maintainer account, a hidden trojan, and a two-hour window that put millions of projects at risk. Here's the full story and how to protect yourself.

AI agents don't have phones, fingerprints, or sessions. The identity infrastructure they need looks nothing like what we built for humans.

What they are, how they work, and why modern password security has moved beyond them.

A practical comparison of the leading multi-factor authentication solutions: what they're good at, where they fall short, and how to choose the right one for your stack.

Send Playwright test runs to Checkly with traces, videos, screenshots, flaky test visibility, and session history, then take key tests into monitoring.

Today, alongside our colleagues at Google and Mozilla, we announced JetStream 3.0, a major update to the cross-browser benchmark suite.

I used coding agents to build agents that automated part of my job. Here's what I learned about working better with coding agents.The post Agent-driven development in Copilot Applied Science appeared first on The GitHub Blog.

There is a category of apps that help record short-form videos, mostly screencasts. For those of you who work on products that you need to showcase/teach people how to use, video can be super effective. Here’s a list of the ones I’ve seen for reference: I’ve been trying them out for videos like this, but […]