<blockquote cite="https://aphyr.com/posts/419-the-future-of-everything-is-lies-i-guess-new-jobs"><p>I think we will see some people employed (though perhaps not explicitly) as <em>meat shields</em>: people who are accountable for ML systems under their supervision. The accountability may be purely internal, as when Meta hires human beings to review the decisions of automated moderation systems. It may be external, as when lawyers are penalized for submitting LLM lies to ...

Harness CEO Jyoti Bansal discusses AI-native software delivery, developer productivity, and where the industry is headed. Interview from HumanX 2026.

We’re sharing recent policy updates that developers should know about, updating our Transparency Center with the full year of 2025 data, and looking to what’s ahead.The post Developer policy update: Intermediary liability, copyright, and transparency appeared first on The GitHub Blog.

StepSecurity adds cooldown and group support for Dependabot configuration, giving teams control over update frequency and PR batching across npm, pip, Docker, and GitHub Actions. Reduce alert fatigue. Merge more patches. Strengthen your supply chain.

Agent Lee is an in-dashboard agent that shifts Cloudflare’s interface from manual tab-switching to a single prompt. Using sandboxed TypeScript, it helps you troubleshoot and manage your stack as a grounded technical collaborator.

The Cloudflare Registrar API is now in beta. Developers and AI agents can search, check availability, and register domains at cost directly from their editor, their terminal, or their agent — without leaving their workflow.

Announcing a preview of the next edition of the Agents SDK — from lightweight primitives to a batteries-included platform for AI agents that think, act, and persist.

Browser Rendering is now Browser Run, with Live View, Human in the Loop, CDP access, session recordings, and 4x higher concurrency limits for AI agents.

Cloudflare Workflows, a durable execution engine for multi-step applications, now supports higher concurrency and creation rate limits through a rearchitectured control plane, helping scale to meet the use cases for durable background agents.

An experimental voice pipeline for the Agents SDK enables real-time voice interactions over WebSockets. Developers can now build agents with continuous STT and TTS in just ~30 lines of server-side code.

デザインデータ（Figma）v2.13.0を公開しました。

こんにちは。技術推進本部の @shia です。前回は kuro の活動事例を紹介しましたので、今回はその裏側を解説していきます。 なぜ自作したのか 前回の記事を読んで「既存の SaaS やマネージドなエージェントサービスを使えばいいのでは？」と思った方もいるかもしれません。一応、いくつかの理由から自作という判断に至っています。 まず、開発着手した 2 月時点では利用できるサービスの選択肢がそもそも多くありませんでした。使えると考えたのは Devin くらいで、実際使ってもいましたが、 GitHub 上のやり取りに制約があったり、開発環境の都合などで当時はやや物足りなさを覚えてました。 次に汎用…

こんにちは、LINEヤフー株式会社の迫川です。社内システムのデータ基盤開発を担当しながら、Orchestration Development Workshopのギルドメンバーとしても活動しています。O...

<p><strong><a href="https://ziglang.org/download/0.16.0/release-notes.html#Juicy-Main">Zig 0.16.0 release notes: "Juicy Main"</a></strong></p>Zig has <em>really good</em> release notes - comprehensive, detailed, and with relevant usage examples for each of the new features.</p><p>Of particular note in the newly released Zig 0.16.0 is what they are calling "Juicy Main" - a dependency injection feature for your program'...

こんにちは、技術広報のえんじぇるです。 2024年、2025年に引き続き STORES Tech Conf を今年も開催することになりました！ 開催日時：2026年8月31日（月）13:00開始 開催場所：浅草橋ヒューリックホール&カンファレンス 参加費用：無料 参加申込みフォーム：https://forms.gle/ijyynGHpKmWuXo2z9 今年のテーマは“World 2”です。テーマについては、後述します。 前回の開催について STORES Tech Conf 2025 では、“What Would You Do?” をテーマに開催しました。オープン枠（学生・女性向け）を設けて、…

The conversation about AI and coding work is full of highs. These models are incredible! I’m so productive. I’m not blocked by a lack of knowledge in certain areas like I used to get. I’m making projects I never would have gotten around to making. I’m having fun with code for the first time in […]

Most AI SEO advice is unproven. We tested what ChatGPT, Claude, and Perplexity actually read on our own site. Six LLM visibility techniques that worked, eight that didn't, and the metrics to tell the difference.

WorkOS CEO Michael Grinich interviews Homer Wang of TinyFish at HumanX 2026 about building AI agents and the evolving startup landscape.

WorkOS CEO Michael Grinich interviews Certn's Andrew McLeod on AI-powered background checks, trust infrastructure, and the future of identity verification.

WorkOS CEO Michael Grinich interviews Mazy Dar, founder of Here, on building AI-native video understanding at HumanX 2026.

Michael Grinich interviews Abhi Aiyer from Mastra about building open-source AI agent frameworks, developer tooling, and the evolving agentic ecosystem.

Michael Grinich interviews Ameya Bhatawdekar from Braintrust on AI evaluation, prompt engineering, and building reliable AI products at HumanX 2026.

Ojus Save from Render explains how the platform is evolving cloud infrastructure for AI workloads, GPU access, and developer experience at HumanX 2026.

Watch Saif Gunja's interview with Paul Dhaliwal of Code Conductor at HumanX 2026 on AI-assisted development and production-ready code orchestration.

WorkOS CEO Michael Grinich interviews Temporal co-founder Maxim Fateev on durable execution, AI agent reliability, and why workflows need to survive failures.

Traversal CEO Anish Agarwal explains how autonomous agents troubleshoot production incidents at scale: from world models to L5 autonomy. Interview from HumanX 2026.

AppsFlyer's Eran Dunsky shares how the company integrated AI into their marketing platform, from internal tooling to customer-facing features.

WorkOS CEO Michael Grinich interviews Webflow CEO Linda Tong on AI-powered web development, enterprise adoption, and the future of no-code at HumanX 2026.

Rob Ferguson of Fireworks AI explains why open models are catching up to frontier closed-source AI, and why data (not architecture) is the real moat.

Apollo GraphQL CEO Matt DeBergalis on why GraphQL's semantic layer matters for AI agents, how MCP and GraphQL complement each other, and what enterprise AI adoption really looks like.

Omni CEO Colin Zima talks AI agents in analytics, the three-layer future of software, and why 80% of his team's code is AI-generated.

Dialpad CTO Brian Peterson on mandating AI in engineering, the Jevons Paradox in practice, and why customer service will transform within a year.

Honeycomb CEO Christine Yen on why observability matters more than ever as AI agents reshape how software gets built, debugged, and understood.

Automation Anywhere CPO Peter White on why enterprises want solutions over technology pitches, where AI agents actually deliver, and the reality behind the hype.

Daytona CEO Ivan Burazin explains why every AI agent needs its own computer, how he built an AI with its own identity, and why SaaS is shifting from seats to consumption.

Assembled CEO John Wang explains why AI is growing support teams, not shrinking them, and why orchestration is the real differentiator in customer support.

Cosmo Wolfe explains why AI companies are rethinking pricing, why per-seat models are dying, and what Stripe's Machine Payment Protocol means for agents as buyers.

Augment Code CEO Matt McClernan discusses the rapid shift from AI code completions to agent orchestration at HumanX 2026, interviewed by WorkOS CEO Michael Grinich.

Noam Schwartz of Alice explains why prompt injection is the new SQL injection and what enterprises deploying AI agents need to know about trust and safety.

<p><strong><a href="https://github.com/simonw/datasette/pull/2689">datasette PR #2689: Replace token-based CSRF with Sec-Fetch-Site header protection</a></strong></p>Datasette has long protected against CSRF attacks using CSRF tokens, implemented using my <a href="https://github.com/simonw/asgi-csrf">asgi-csrf</a> Python library. These are something of a pain to work with - you need to scatter forms in templates with <code><input type...

Figma MCPやCursor、Claude CodeといったAIツールの浸透によって、Ameba ...

<p><strong><a href="https://openai.com/index/scaling-trusted-access-for-cyber-defense/">Trusted access for the next era of cyber defense</a></strong></p>OpenAI's answer to <a href="https://simonwillison.net/2026/Apr/7/project-glasswing/">Claude Mythos</a> appears to be a new model called GPT-5.4-Cyber:</p><blockquote><p>In preparation for increasingly more capable models from OpenAI over the next few months, we are fine-tuning ou...

<p><strong><a href="https://www.dbreunig.com/2026/04/14/cybersecurity-is-proof-of-work-now.html">Cybersecurity Looks Like Proof of Work Now</a></strong></p>The UK's AI Safety Institute recently published <a href="https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos-previews-cyber-capabilities">Our evaluation of Claude Mythos Preview’s cyber capabilities</a>, their own independent analysis of <a href="https://simonwillison.net/2026/Apr/7...

Socket CEO Feross Aboukhadijeh joins 10 Minutes or Less, a podcast by Ali Rohde, to discuss the recent surge in open source supply chain attacks.

Learn to find and exploit real-world agentic AI vulnerabilities through five progressive challenges in this free, open source game that over 10,000 developers have already used to sharpen their security skills.The post Hack the AI agent: Build agentic AI security skills with the GitHub Secure Code Game appeared first on The GitHub Blog.

The new Code Security Risk Assessment gives you a one-click view of vulnerabilities across your organization, at no cost.The post How exposed is your code? Find out in minutes—for free appeared first on The GitHub Blog.

記事は ics.media へアクセスしてご覧ください。

One of the best-known examples of CSS state management is the checkbox hack. What if we want a component to be in one of three, four, or seven modes? That is where the Radio State Machine comes in.The Radio State Machine originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

Cloudflare is introducing scannable API tokens, enhanced OAuth visibility, and GA for resource-scoped permissions. These tools help developers implement a true least-privilege architecture while protecting against credential leakage.

We share Cloudflare's internal strategy for governing MCP using Access, AI Gateway, and MCP server portals. We also launch Code Mode to slash token costs and recommend new rules for detecting Shadow MCP in Cloudflare Gateway.

Managed OAuth for Cloudflare Access helps AI agents securely navigate internal applications. By adopting RFC 9728, agents can authenticate on behalf of users without using insecure service accounts.

Cloudflare Mesh provides secure, private network access for users, nodes, and autonomous AI agents. By integrating with Workers VPC, developers can now grant agents scoped access to private databases and APIs without manual tunnels.

We're transferring the Stripe Sync Engine from supabase/stripe-sync-engine to stripe/sync-engine

Read about various happenings with Baseline during March 2026.

Introducing name-only @container queries, shipped in Safari 26.4.

こんにちは！26卒でサイボウズに入社した、かりんとうです。会社ではコサキンと名乗ることにしたので、ニックネームをどう切り替えるか悩みです。早速ですが、最近ルビについて調べる機会があったので、情報を整理するためにもこの記事で紹介します。 はじめにルビ（ruby）は、文字にふりがなや補足情報を付けるための仕組みです。日本では、漫画・小説・教科書・新聞など、さまざまな場面でルビが使われています。ルビは、難読漢字や固有名詞の読みを示し、読者の理解を助けるために用いられることが多いです。縦書きと併用されることも少なくありません。他の国でも使われており、例えば中国では発音を示す拼音（ピ...

こんにちは。技術推進本部の shia です。最近はエーアイというやつと向き合っておりまして、その話の一つとして2月入社した新入 AI 社員の話をします。 AI エージェント とは、LLM（大規模言語モデル）に自律的に行動させる仕組みのことで、指示を受けたら自分でツールを使ったり判断したりしながらタスクをこなしてくれるものです。 この話は二つの記事で構成される予定で、今回は活動事例、次回はその裏側を紹介していきます。 社員紹介 kuro は 2026年2月入社しており、Slack と GitHub で活動しながら、我々の事業推進を多岐にわたる方法で手伝ってくれています。 わかりやすいので Git…

こんにちは、LINEヤフー株式会社の福野です。社内のさまざまなアプリの開発を横断的に支援する仕事をしています。本記事では当社のAndroid・iOSアプリを衛星通信に対応させるための取り組みについてご...

SEASON TWO HAS LANDED!Bob Lord has spent decades building and leading security programs, from early internet crypto work at Netscape to roles at Twitter, Yahoo, the Democratic National Committee, and CISA. In this episode of Chasing Entropy, he and host Dave Lewis get practical about why the security advice most people hear doesn’t match how real compromises happen.Across secure-by-design, AI systems, and software supply chains, security breaks down when organizations treat outcomes like someone

Introducing rails_vite—a new Vite integration for Rails that works with Propshaft, not against it. Drop it into an existing jsbundling app for instant CSS HMR, or use the full gem for manifest-based asset resolution.

The affected stores span 27 countries, with France, Italy, Poland, and the Czech Republic accounting for the majority. Among them: a multi-billion dollar fashion retailer, two French university boo...

Three mechanisms guard three different checkpoints in OAuth and OpenID Connect. Here is why none of them is optional.

Why teams outgrow Amazon Cognito and which authentication platforms handle enterprise SSO, multi-tenancy, and directory sync without the glue code.

はじめに カミナシでエンジニアをしている Shimmy です。今は新規プロダクト開発をしています。 0→1の開発設計では「コードベースの持続可能性」と「短期的なデリバリー速度」の両方が重要です。そのバランスを取りながら、AIの力を最大限活かせるアーキテクチャを考えてきました。 その過程で分かった設計原則というのは、AIを活用する前から変わらないものでした。 この記事では、AIの力を引き出す設計と、その設計を決定論的に守らせる仕組みついて話します。 補足: TanStack Start（フルスタックReactフレームワーク）を利用しており、フロントエンドとバックエンドが同一コードベースにあります…

<p><a href="https://twitter.com/steve_yegge/status/2043747998740689171">Steve Yegge</a>:</p><blockquote><p>I was chatting with my buddy at Google, who's been a tech director there for about 20 years, about their AI adoption. Craziest convo I've had all year.</p><p>The TL;DR is that Google engineering appears to have the same AI adoption footprint as John Deere, the tractor company. Most of the industry has the same internal adoption curve: 20% age...

Campaign of 108 extensions harvests identities, steals sessions, and adds backdoors to browsers, all tied to the same C2 infrastructure.

Measuring performance without shooting youself in the foot (as badly)

It doesn't mean you can't get AI to help with accessible code, you've just got to know what you're doing.

<p><strong>Research:</strong> <a href="https://github.com/simonw/research/tree/main/servo-crate-exploration#readme">Exploring the new `servo` crate</a></p> <p>In <a href="https://servo.org/blog/2026/04/13/servo-0.1.0-release/">Servo is now available on crates.io</a> the Servo team announced the initial release of the <a href="https://crates.io/crates/servo">servo</a> crate, which packages their browser engine as an embeddable lib...

Learn how to create a free website for any repository on GitHub Pages.The post GitHub for Beginners: Getting started with GitHub Pages appeared first on The GitHub Blog.

We’re introducing cf, a new unified CLI designed for consistency across the Cloudflare platform, alongside Local Explorer for debugging local data. These tools simplify how developers and AI agents interact with our nearly 3,000 API operations.

Craving for a view transition? Sunkanmi has lots of common transitions you can drop into your website right now!7 View Transitions Recipes to Try originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

We’re introducing Durable Object Facets, allowing Dynamic Workers to instantiate Durable Objects with their own isolated SQLite databases. This enables developers to build platforms that run persistent, stateful code generated on-the-fly.

Cloudflare Sandboxes give AI agents a persistent, isolated environment: a real computer with a shell, a filesystem, and background processes that starts on demand and picks up exactly where it left off.

Outbound Workers for Sandboxes provide a programmable, zero-trust egress proxy for AI agents. This allows developers to inject credentials and enforce dynamic security policies without exposing sensitive tokens to untrusted code.

Have you ever heard of Disney’s 12 Basic Principles of Animation? In this tutorial, we’ll explore how we can use the very first principle to create SVG micro-interactions that feel way more natural and believable. It’s one of those small things that has a big impact.

こんにちは、STORES のえんじぇるです。 今年も STORES は RubyKaigi 2026 にNursery Sponsor および Scholarship Sponsor として協賛します！ Nursery Sponsor は2024年から3年連続で、今年も小さなRubyistのみなさんに会えるのが楽しみです！ Scholarship Sponsor として記載されているのは今年が初ですが、昨年度も学生支援を実施していました。 先日下見に行ったので、写真をまじえながら、STORES のRubyKaigi 2026への関わり方を紹介します。 函館空港でお出迎えしてくれたクマ🐻 登壇 …

本記事では、ある日起きたAurora MySQLの障害対応事例を紹介します。

<blockquote cite="https://bcantrill.dtrace.org/2026/04/12/the-peril-of-laziness-lost/"><p>The problem is that LLMs inherently <strong>lack the virtue of laziness</strong>. Work costs nothing to an LLM. LLMs do not feel a need to optimize for their own (or anyone's) future time, and will happily dump more and more onto a layercake of garbage. Left unchecked, LLMs will make systems larger, not better — appealing to perverse vanity metrics, perhaps, but at the cos...

はじめにこんにちは。SRE（Site Reliability Engineer）として働いているDahee Eoです。私たちのチームは、Media Platform SREをはじめ、グローバルトラフィ...

In this release, we focused entirely on performance improvements, with the introduction of a daemon,

Today the Servo team has released v0.1.0 of the servo crate.This is our first crates.io release of the servo crate that allows Servo to be used as a library.We currently do not have any plans of publishing our demo browser servoshell to crates.io.In the 5 releases since our initial GitHub release in October 2025, our release process has matured, with the main “bottleneck” now being the human-written monthly blog post.Since we’re quite excited about this release, we decided to not wait for the mo

Let's take a look at why the common, horizontal code structure is not ideal, where it breaks down, and what we can do about it.

Learn how to monitor Shopify storefronts with Playwright and Checkly, including bot protection, consent popups, and checkout monitoring.

The Evaluability Gap: Designing for Scalable Human Review of AI OutputIn the age of AI, output velocity is no longer a limiting factor. AI can generate massive amounts of output in a fraction of the time it would take for a human. Code, designs, documents, analysis, and nearly anything else you can think of.However, as LLMs are integrated in more and more processes, we are left with a new problem: evaluation.In this post we'll look at the next great usability and reliability problem facing us al

<p>Thanks to a <a href="https://twitter.com/RahimNathwani/status/2039961945613209852">tip from Rahim Nathwani</a>, here's a <code>uv run</code> recipe for transcribing an audio file on macOS using the 10.28 GB <a href="https://huggingface.co/google/gemma-4-E2B">Gemma 4 E2B model</a> with MLX and <a href="https://github.com/Blaizzy/mlx-vlm">mlx-vlm</a>:</p><pre><code>uv run --python 3.13 --with mlx_vlm --with torchvision --w...

こんにちは、Service Reliability Group(SRG)の鬼海 雄太(@fat47) ...

Cloudflare's mission has always been to help build a better Internet. Sometimes that means building for the Internet as it exists. Sometimes it means building for the Internet as it's about to become. This week, we're kicking off Agents Week, dedicated to what comes next.

AI coding agents install packages, create pull requests, push commits, and run autonomously in CI/CD pipelines. Here's how to secure every stage of that workflow

Modern supply chain attacks target developer machines and AI coding agents. Learn how StepSecurity Dev Machine Guard stops credential theft early

Explore key CI/CD security trends for 2024, including shifts to modern platforms, third-party component risks, rising security incidents, and the growing need for secure pipelines. Learn how to protect your organization from evolving threats in the CI/CD landscape.

<p><strong><a href="https://sqlite.org/releaselog/3_53_0.html">SQLite 3.53.0</a></strong></p>SQLite 3.52.0 was withdrawn so this is a pretty big release with a whole lot of accumulated user-facing and internal improvements. Some that stood out to me:</p><ul><li><code>ALTER TABLE</code> can now add and remove <code>NOT NULL</code> and <code>CHECK</code> constraints - I've previously used my own <a href="...

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/sqlite-qrf">SQLite Query Result Formatter Demo</a></p> <p>See my notes <a href="https://simonwillison.net/2026/Apr/11/sqlite/">on SQLite 3.53.0</a>. This playground provides a UI for trying out the various rendering options for SQL result tables from the new Query Result Formatter library, compiled to WebAssembly.</p> <p>Tags: <a href="https://simonwillison.net...

Claude に新たに追加された advisor tool を使用すると、通常のタスクは軽量モデルに任せつつ、必要に応じて高性能モデルに相談することで、性能とコストのバランスを最適化できます。この記事では Claude Code 内で advisor tool を活用する方法について紹介します。

OpenAI rotated macOS signing certificates after a malicious Axios package reached its CI pipeline in a broader software supply chain attack.

<p>Lenny <a href="https://twitter.com/lennysan/status/2042615413494939943">posted</a> another snippet from <a href="https://simonwillison.net/2026/Apr/2/lennys-podcast/">our 1 hour 40 minute podcast recording</a> and it's about kākāpō parrots!</p><p><video src="https://static.simonwillison.net/static/2026/kakapo-lenny.mp4" poster="https://static.simonwillison.net/static/2026/kakapo-lenny.jpg" controls preload="none" playsinline style="display:block; ...

Cloudflare’s global network has officially crossed 500 Tbps of external capacity, enough to route more than 20% of the web and absorb the largest DDoS attacks ever recorded.

GitHub for Beginners: Getting started with the GitHub Copilot CLI, a step-by-step tutorial.The post GitHub Copilot CLI for Beginners: Getting started with GitHub Copilot CLI appeared first on The GitHub Blog.

<p>I think it's non-obvious to many people that the OpenAI voice mode runs on a much older, much weaker model - it feels like the AI that you can talk to should be the smartest AI but it really isn't.</p><p>If you ask ChatGPT voice mode for its knowledge cutoff date it tells you April 2024 - it's a GPT-4o era model.</p><p>This thought inspired by <a href="https://twitter.com/karpathy/status/2042334451611693415">this Andrej Karpathy tweet</a> about the g...

It's fine. I'm fine. I just like learning ok.

Your RTE choice shapes how much compliance work your team owns. Learn what to look for when building for healthcare, finance, or government.

Practical guidelines for driving UX impact in organizations with legacy systems and broken processes. Brought to you by Measuring UX Impact, **friendly video course on UX** and design patterns by Vitaly.

Using CSS animations as state machinesExtremely clever stuff from Patrick here!Endgame for the open webAnil articulates the reality of the open web really well and gives us pragmatic advice of what we can tangibly do to protect if from the vultures in the tech industry.Checking if a movie has a post or mid credit sceneA very cool tool (and write up) that's surprisingly simple.EZ-TreeNeed to procedurally generate trees? Don't slop it and use this tool instead.Wind Waker JSOne for the Zelda fans o

A quick but important reminder that font-family declarations don’t inherit fallback stacks the way many developers assume.

HTML in Canvas API は WICG で提案されている API で、Canvas 内に直接 HTML を描画できるようにするものです。現在の `` 要素にはリッチテキストや HTML コンテンツを描画する標準的な方法が存在しないという課題があります。この記事では HTML in Canvas の使用方法やユースケースについて説明します。

Neovim 0.12 ships a native UI2 layer that covers most of what noice.nvim provided. Here's what I replaced, what I kept, and what changed.

Open source is under attack because of how much value it creates. It has been the foundation of every major software innovation for the last three decades. This is not the time to walk away from it.

要約 3回目に権限をリクエストしたときにダイアログが出ないのは仕様です。権限ダイアログを出すのは諦め ...

We unveil the gemfile toolbox of the Martian Rails engineer; a universe of Evil Martian gems that encapsulate our philosophy and soul.

In short: GitHub’s downtime is bad, but uptime numbers can be misleading. It’s not as bad as it looks; more like a D than an F.“Zero nines uptime”?99.99% uptime, or “four nines”, is a common industry standard. Four nines of uptime is equivalent to 1.008 minutes of downtime per week.GitHub is not meeting that, and it’s frustrating. Even though they’re owned by Microsoft’s, one of the richest companies on earth, they aren’t clearing this bar.Here are some things people are saying:“GitHub appears t

The vendor is currently running a ClickFix clipboard hijacker on its own homepage. The vendor sells network exposure management and attack-path analysis to Fortune 500 enterprises, the US Departmen...

Learn how to use lazy loading without hurting web performance. This article explains when lazy loading improves performance, when it backfires, and how it impacts Core Web Vitals like LCP, CLS, and INP — with practical patterns and real-world pitfalls.

Hi, I’m a backend engineer on the Bucketeer ...

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/github-repo-size">GitHub Repo Size</a></p> <p>GitHub doesn't tell you the repo size in the UI, but it's available in the CORS-friendly <a href="https://api.github.com/repos/simonw/datasette">API</a>. Paste a repo into this tool to see the size, <a href="https://tools.simonwillison.net/github-repo-size?repo=simonw%2Fdatasette">for example for simonw/datasette</a> (...

Share Tailwind v4 design tokens across multiple apps in a pnpm + Nx monorepo using a shared styles package and automated @source directives.

A registry-only supply chain attack on @velora-dex/sdk delivers an architecture-aware macOS backdoor that fires the moment your code imports the package. No install hooks, no repo commits, no visible output.

StepSecurity's AI Package Analyst and Harden-Runner detected the compromise of axios, the largest npm supply chain attack on a single package by download count, before any public disclosure existed. What followed was a race against a state-sponsored threat actor who actively deleted GitHub issues to suppress the warning, a decision to host a community call at midnight that drew 200 attendees, and coverage from Bloomberg to Andrej Karpathy

Hijacked maintainer account used to publish poisoned axios releases including 1.14.1 and 0.30.4. The attacker injected a hidden dependency that drops a cross platform RAT. We are actively investigating and will update this post with a full technical analysis.

TeamPCP weaponized 76 Trivy version tags overnight. The KICS attack followed the same playbook days later. One security control is not enough. Here is how the StepSecurity platform's ten independent security layers work together to prevent credential exfiltration, detect compromised actions at runtime, and respond to incidents across your entire organization before attackers can succeed.

Your developer machine is running AI agents, MCP servers, IDE extensions, and hundreds of packages. Do you know which ones? Now there's a free, open-source way to find out.

Datadog's State of DevSecOps 2026 report confirms what StepSecurity has been warning about for years: CI/CD pipelines and GitHub Actions are prime targets for supply chain attacks. Learn how StepSecurity's platform directly mitigates every major risk identified in the report, from unpinned actions to day-of-release dependencies.

A week-long automated attack campaign targeted CI/CD pipelines across major open source repositories, achieving remote code execution in at least 4 out of 5 targets. The attacker, an autonomous bot called hackerbot-claw, used 5 different exploitation techniques and successfully exfiltrated a GitHub token with write permissions from one of the most popular repositories on GitHub. This post breaks down each attack, shows the evidence, and explains what you can do to protect your workflows.

How StepSecurity delivers real-world protection across all critical pillars identified in Wiz's SDLC Infrastructure Threat Framework (SITF)

記事は ics.media へアクセスしてご覧ください。

Let's take a look at what SVG filters are and the basics of how they work.

A clever approach for selecting multiple dates on a calendar where the :nth-child()'s “n of selector” syntax does all the heavy lifting... even in the JavaScript.Selecting a Date Range in CSS originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

Planning is now done, so now it's time to get stuck into a basic version of my website. It's important to do this part well because even though the UI is incredibly temporary, the system behind it is not, so we want to make sure our foundations are solid.I say a HTML-only build but I'm talking rubbish there. I'll mostly only be writing HTML (via Astro components) here, but there is CSS. Over the last couple of years at the studio we've been trying to "solve" global styles. We repeat ourselves ov

Claude Managed Agents は Claude を自律的なエージェントとして動作させるためのハーネスとインフラストラクチャーを提供します。長時間かかるタスクや非同期のタスクを実行するために使用するのが想定されています。この記事では実際に Claude Managed Agents を試してみた内容を紹介します。

Introducing Supabase Agent Skills: an open-source set of instructions that teach AI coding agents how to build on Supabase correctly.

こんにちは。AI LabチームのHan Kil Roです。サービスに必要なAIモデルやソリューションを開発するチームで業務に携わっています。最近、LINEヤフー社内で実施された Orchestrati...

<p><strong>Release:</strong> <a href="https://github.com/simonw/asgi-gzip/releases/tag/0.3">asgi-gzip 0.3</a></p> <p>I ran into trouble deploying a new feature using <a href="https://developer.mozilla.org/en-US/docs/Web/API/Server-sent_events">SSE</a> to a production Datasette instance, and it turned out that instance was using <a href="https://github.com/simonw/datasette-gzip">datasette-gzip</a> which uses <a href="https://gi...

In March, we experienced four incidents that resulted in degraded performance across GitHub services.The post GitHub availability report: March 2026 appeared first on The GitHub Blog.

こんにちは、PR TIMESでインターンをしている工藤（@k8035004287922）です。 今回は、社内の一部部署で必須運用されていたGmail送信前の誤送信確認用Chrome拡張を、社内要件に合わせて内製した取り組 […]

この記事は、合併前の旧ブログに掲載していた記事（初出：2020年9月8日）を、現在のブログへ移管したものです。現時点の情報に合わせ、表記やリンクの調整を行っています。こんにちは、お久しぶりです。岡部和...

AI事業本部 アドテクカンパニー Dynalystに所属している平田聡一朗と申します。本記事ではSt ...

Whether or not you read the code, it's gotta be ert

Fixes 120 issues (addressing 219 👍). Render Markdown in the terminal with bun ./file.md, Bun.WebView headless browser automation, in-process Bun.cron() scheduler, async stack traces for native errors, 2.3x faster URLPattern, 2x faster Bun.Glob.scan, cgroup-aware parallelism on Linux, and many bugfixes and Node.js compatibility improvements.

A new world for security-critical projects

Slack, Notion, and Linear each take a different approach to per-tenant roles and permissions. Here are the patterns worth stealing for your own app.

Master secure authentication in Node.js from Passport.js and JWTs to enterprise SSO, with production-ready patterns and security best practices.

How attackers turn legitimate consent prompts into persistent backdoors, and what your team can do about it.

A deep dive into the FIDO2/WebAuthn protocol mechanics that tie every passkey to a specific domain, making credential theft physically impossible at the cryptographic layer.

<p>Meta <a href="https://ai.meta.com/blog/introducing-muse-spark-msl/">announced Muse Spark</a> today, their first model release since Llama 4 <a href="https://simonwillison.net/2025/Apr/5/llama-4-notes/">almost exactly a year ago</a>. It's hosted, not open weights, and the API is currently "a private API preview to select users", but you can try it out today on <a href="https://meta.ai/">meta.ai</a> (Facebook or Instagram login required).</p><...

Keith Cirkel has been building some interesting and educational web games lately:

Socket CEO Feross Aboukhadijeh breaks down how North Korea hijacked Axios and what it means for the future of software supply chain security.

Safari Technology Preview Release 241 is now available for download for macOS Tahoe and macOS Sequoia.

OpenSSF has issued a high-severity advisory warning open source developers of an active Slack-based campaign using impersonation to deliver malware.

Get inspired by five of the most memorable, magical, and quirky Universe sessions to date.The post GitHub Universe is back: We want you to take the stage appeared first on The GitHub Blog.