StepSecurity now supports Maven in GitHub Checks and OSS Package Search, blocking compromised and freshly published Java dependencies in your pull requests.

Google released an AI “skill” at Google I/O last month called Modern Web Guidance. It’s essentially a folder of nested Markdown files that AI agents know how to read and use as part of their context window when they deem appropriate. This skill has a bunch of HTML/CSS/JavaScript information that guides AI to, hopefully, do […]

A coordinated 8-month supply chain attack planted credential-stealing code inside fake AI coding assistants on the JetBrains Marketplace, quietly exfiltrating OpenAI, DeepSeek, and SiliconFlow API keys to an attacker-controlled server in Beijing -- which our investigation found still operational today.

The translateZ() function moves an element closer to or farther from the user. translateZ() originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

The translateY() function shifts an element vertically by the specified amount. translateY() originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

The translateX() function shifts an element horizontally by the specified amount. translateX() originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

The CSS translate() function shifts an element from its default position on a 2-dimensional planetranslate() originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

AI SDK, with over 16 million weekly downloads, is the TypeScript SDK for building AI applications, features, frameworks, and agents across any model provider. It's the same layer , Vercel's open-source agent framework, is built on.eveAI SDK 7 adds production depth for agent work across five areas:Building well-behaved agents requires fine-grained control over model reasoning, tool context, and file handling.Most frontier models support configurable reasoning, but every provider API exposes it di

Standard.site provides a set of lexicons for publishing long-form content on the internet using the same protocol used under the hood by Bluesky.If you are wondering what 'lexicons' and 'the Atmosphere' are, don't fret. This article will explain what they mean, why you should care about Standard.site, and walk you through exactly how you can implement Standard.site using some simple JavaScript or a plugin for your favourite content management system.What Standard.site is and why you should careI

On June 24, 2026, an attacker published malicious versions of 20 npm packages belonging to the Leo Platform ecosystem in a coordinated burst spanning less than three seconds. All 20 packages carry an identical CI/CD attack toolkit that steals secrets from GitHub Actions runners, cloud credential stores, package registries, and password managers, then exfiltrates them via the victim's own GitHub token. Together these packages receive approximately 13,600 downloads per week.

Discover CKBox 2.12 and 2.13 with a refreshed UI, file versioning, asset overwrite, and PDF thumbnails for faster, more reliable asset management.

AI SDK 7 is a major release for building production agents in TypeScript. The SDK has grown from model calls and chat primitives into a broader agent platform for developing, running, integrating, and observing agents across text, audio, realtime, image, and video. Every major provider is supported out of the box.AI SDK 7 introduces two breaking requirements:Run the v7 codemods to automate the majority of import and rename changes before reviewing semantic migration items manually. See the .full

On June 24, 2026, an attacker compromised the simonecorsi/mawesome GitHub repository. They force-pushed malicious commits and repointed several version tags to that commit. As a result, any workflow running against those tags after that time executed the attacker's code inside its GitHub Actions runner.

On June 24, 2026, an attacker compromised the codfish/semantic-release-action GitHub repository. At 15:39:06 UTC they force-pushed a malicious commit and repointed several version tags to that commit. As a result, any workflow running against those tags after that time executed the attacker's code inside its GitHub Actions runner.

CTO 藤村がホストするPodcast、論より動くもの.fmの第36回を公開しました。今回は2025年新卒入社エンジニアの大塚と、ものづくりについて話をしました。 論より動くもの.fmは、Spotify、Apple Podcast、YouTubeで配信しています。フォローしていただくと、新エピソード公開時には自動で配信されますので、ぜひフォローしてください。 ホームディレクトリでClaude Codeを動かす日は来るか 藤村：こんにちは、論より動くもの.fmです。論より動くもの.fmは STORES のCTO 藤村が技術や技術じゃないことについてざっくばらんに話すポッドキャストです。今日は S…

LINEヤフーの技術カンファレンス「Tech-Verse 2026」の公式記事です。AIでのコーディングで難しいのは、もはやコードを出すこと自体ではありません。課題はその周辺にあります。意図を正確な仕...

LINEヤフーの技術カンファレンス「Tech-Verse 2026」の公式記事です。エージェントがコードを書く時代にコーディングエージェントを使い始めると、最初に気づくのはその速さです。その試行錯誤の...

An analysis of European Post Office websites to see which websites perform best across the Core Web Vitals.

<p><strong><a href="https://github.com/simonw/browser-compat-db">simonw/browser-compat-db</a></strong></p>Inspired by Mozilla's <a href="https://developer.mozilla.org/en-US/blog/introducing-mdn-mcp-server/">new MDN MCP service</a> - <a href="https://github.com/mdn/mcp">source code here</a> - I decided to try converting their comprehensive <a href="https://github.com/mdn/browser-compat-data">mdn/browser-compat-data</a> repos...

Explicit Resource Management (using/await using declarations, SuppressedError, DisposableStack, AsyncDisposableStack) has been merged into the ECMAScript specification.

New projects using Vercel Flags no longer need to configure SDK Keys or the environment variable when evaluating flags inside a Vercel deployment. At runtime, the Vercel adapter automatically receives a short-lived OIDC token, so authentication is handled for you with zero configuration.FLAGSFor local development, link your project with and pull credentials with . That's it.vercel linkvercel env pullExisting projects and all SDK Keys are unaffected. This change only applies to new projects, and

codfish/semantic-release-action was compromised on June 24, 2026. Attackers repointed v2–v5 tags to a Miasma credential-stealing payload targeting CI/CD secrets. Here's what happened and how to check if you're affected.Category: Vulnerabilities & Threats

The `rule` (and friends) CSS property allows us to draw markers (like borders) in the gaps between columns and rows (and flex items!)

<blockquote cite="https://macwright.com/2026/06/24/accidental-anonymity.html"><p>In the last few months, I've started to see [job applications] that were clearly cowritten by an LLM, link to an LLM-generated portfolio site, which then links to LLM-generated GitHub projects, with purely LLM-generated commit messages. [...]</p><p>My other reaction is that <em>I don't know anything about these people</em>.</p><p>They haven't put themselves out there....

今日のアプリケーション開発において、Feature Flags（機能フラグ）は欠かせないツールとなっています。Vercel Flags を使用することで、Vercel 上でホストされているアプリケーションに Feature Flags を簡単に導入することができます。この記事では、Vercel Flags を使用して Vercel 上でホストされているアプリケーションに Feature Flags を導入する方法を試してみます。

Self-Managed OAuth is now available to all developers on Cloudflare. Here's how we executed a zero-downtime migration of our core OAuth engine to make it happen.

The Fable shutdown shows how quickly model access can become a business continuity risk for AI-dependent engineering teams.

LINEヤフーの技術カンファレンス「Tech-Verse 2026」の公式記事です。大規模言語モデル（LLM）が入力トークンの物理的しきい値を百万規模へと拡張するにつれ、ソフトウェア工学の現場は「シリ...

LINEヤフーの技術カンファレンス「Tech-Verse 2026」の公式記事です。はじめにこんにちは。LINEヤフー株式会社のDBaaS DevOpsチームで働いている朴政武（パク・ジョンム）です。...

Evil Martians benchmarked five WebSocket servers for Node.js: Socket.io, uWebSockets.js, and AnyCable (OSS and Pro). How we caught our own load generator lying, and how to make WebSocket benchmark numbers honest.

Graceful task shutdown, deferred input hashing, composable `--affected` and `--filter`, local cache eviction.

GLM 5.2 Fast via Wafer is now available on .AI GatewayBased on our own benchmarking across small-context, large-context, and tool-call scenarios, Wafer delivers a 2x higher throughput than other providers serving GLM-5.2 on serverless, leading on decode and end-to-end speed for sustained generation in the small- and large-context cases.In our testing, GLM 5.2 Fast on Wafer measured:To use GLM 5.2 Fast, set to in the :modelzai/glm-5.2-fastAI SDKAI Gateway provides a unified API for calling models

CSS is getting a random() function that lets you set properties with a random value, letting you make interesting and creative new designs…

カミナシでソフトウェアエンジニアをしている furuya です。今回は開催直前！ AWS Summit Japan 2026 の楽しみ方をご紹介します！これを見て、「行ってみようかな」と思っていただけた方がひとりでも増えれば幸いです。 ※2026/06/24 現在公開されている情報や、AWS Summit Japan 2025 のときの情報をもとにしています。最新の情報は AWS Summit Japan 2026 公式サイトでご確認ください。 aws.amazon.com AWS Summit Japan 2026とは 6月25日（木）、26日（金）に幕張メッセで行われる、日本で一番大きな …

<p><strong>Release:</strong> <a href="https://github.com/simonw/datasette/releases/tag/1.0a35">datasette 1.0a35</a></p> <p>I'll write more about this one soon, but it's a big release. Three highlights from the release notes:</p><blockquote><ul><li>New "Create table" interface in the database actions menu, backed by the <code>/<database>/-/create</code> <a href="https://docs.datasette.io/en/latest/json...

Adam knows better than anyone, CSS knows about the user, device, variables, layout and more. But there is a little bit of information that CSS doesn’t have. Like what’s the current value of a range input exactly? What are the exact coordinates of the mouse? It’s not hard to pass over that information to CSS […]

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/opfs-pyodide">OPFS + Pyodide test harness</a></p> <p>I've been pondering if <a href="https://lite.datasette.io/">Datasette Lite</a> - the Python Datasette application run entirely in the browser using Pyodide and WebAssembly - might be able to edit persistent SQLite files stored on the user's computer.</p><p>That's what <a href="https://developer.mozilla.org/en...

The new post-quantum executive order sets a 2030 migration deadline and establishes a powerful foundation for post-quantum resilience. We look at what it gets right, where it can go further, and our migration playbook for government and industry.

Explore how my day as a senior leader looks now that I use 40 automations to help, and learn more about some of my favorites.The post I automated my job (and it made me a better leader) appeared first on The GitHub Blog.

We’re calling for targeted amendments to resolve conflicts with open source licensing and align with international transparency frameworks while preserving regulatory intent.The post GitHub joins coalition advocating for fixes to California AI Transparency Act to protect open source appeared first on The GitHub Blog.

AI agents are pulling packages into environments no scanner is watching, creating exposure before security teams can see it.

This is the technical companion to our update on Distilled, “Keeping the web open and private in the bot era.” Here we take a deeper look at the problem space, the design we’re proposing, and the problems still left to solve. Bots (and privacy-preserving browsers) not welcome Browse a news site in a private window. Shop […]The post PACT: Anonymous Credentials for the Web appeared first on Mozilla Hacks - the Web developer blog.

記事は ics.media へアクセスしてご覧ください。

2026年6月23日に、GMO Flatt Security主催の「OSS開発者は今何をするべきか？ソフトウェアサプライチェーン侵害対策を考える」で「Hardening npm Publishing」というタイトルで、npmパッケージの公開フローをどう守るかについて話しました。スライド: Hardening npm Publishingローカルのトークン管理やnpm Trusted Publishingについては、以前の記事で書きました。1Passwordを使って、ローカルにファイル(~/.configや.env)として置かれてる生のパスワードなどを削除した | Web Scratchパスワード管理/MFA管理の戦略 | Web Scratchnpm Trusted PublishingでOIDCを使ってトークンレスでCIからnpmパッケージを公開するこの記事ではそれらを前提に、GitHub Environmentsとnpm staged publishingをどこに入れるかの話をスライドベースでかいています。サプライチェーン攻撃をすべての侵害を防ぐのは難しいです。それでも、ローカル、

Aikido partners with Drydock to bring pre-publish package review to npm and PyPI. See exactly what's inside a release before it ships, malware caught before download number one.Category: Product & Company Updates

#tpac_study- https://web-study.connpass.com/event/378948/X- https://twitter.com/sajikix

You can now deploy a to Vercel with zero configuration.Node.js serverVercel detects a file at the project root or at and deploys it as a Node.js application, in addition to existing zero-configuration backends like Express, Koa, and NestJS:server.tssrc/server.tsVercel CLI can handle local development and deployment:Backends on Vercel are powered by with .Fluid computeActive CPU pricingLearn more about the .Node.js runtime on VercelRead more

LINEヤフーの技術カンファレンス「Tech-Verse 2026」の公式記事です。こんにちは。LINEヤフー株式会社の中野です。Yahoo!検索のAI回答サービスで大規模言語モデル（LLM）の最適化...

LINEヤフーの技術カンファレンス「Tech-Verse 2026」の公式記事です。はじめにこんにちは。LINEヤフーで大規模データ基盤の運用を担当している平山、沼田、小笠原、小川です。LINEヤフー...

pnpm 11.9 computes missing tarball integrity for registries that cannot publish checksums, adds pnpm sbom --exclude-peers, improves audit performance on cyclic lockfiles, fixes peer-resolution nondeterminism, and tightens exclusion handling for minimumReleaseAge and trustPolicy.

Val Town is a sort of Third Space for non-prod code

Learn how WebMCP enables AI agents to interact with websites through structured tools instead of traditional browser automation. This guide explains how WebMCP works, how it compares to DOM-based approaches, and how to validate your WebMCP implementation using Lighthouse and DebugBear.

Vercel's OIDC issuer () now supports custom audiences. Deployments can request OIDC tokens with a specific audience claim, enabling secure service-to-service authentication with third-party providers.oidc.vercel.comVercel OIDC tokens are issued with a fixed audience (). While most cloud providers don't require a specific audience value, using a unique audience per provider is a security best practice. If a provider is compromised, an attacker cannot replay the token against a different provider

Vercel is now a send-to destination in . When you finish a design, you can send it to Vercel and get a live URL back without leaving your canvas.Claude DesignClaude Design deploys the design as a new project in your connected Vercel account and returns a URL you can open and share.When you're ready to share a design, add Vercel as your destination in the 'Share' menu and connect the to get started.Vercel MCP server about using Claude Design and Vercel together.Learn moreRead more

The trace viewer for and has been redesigned to better support inspecting runs from start to finish. Search across spans, zoom into any section of the timeline, and step through with the keyboard to find what you're looking for fast, then click into any step to see its inputs, outputs, and run metadata.Vercel WorkflowsWorkflow SDKThe trace viewer is also available locally through with to inspect runs during development.Workflow SDKnpx workflow@beta webLearn more about .Vercel WorkflowsRead more

<p><strong><a href="https://role-confusion.github.io">Prompt Injection as Role Confusion</a></strong></p>First, I absolutely love this:</p><blockquote><p>This is a blog-style writeup of the paper.</p></blockquote><p>I wish <em>every paper</em> would come with one of these. Academic writing is pretty dry - the impact of a paper can be so much higher if you publish a readable version to accompany the formal one.&l...

<p>This morning <a href="https://news.ycombinator.com/item?id=48630171">on Hacker News</a> I saw <a href="https://hustvl.github.io/Moebius/">Moebius: 0.2B Lightweight Image Inpainting Framework with 10B-Level Performance</a>, describing a small but effective inpainting model - a model where you can mark regions of an image to remove and the model imagines what should fill the space. The released model <a href="https://github.com/hustvl/Moebius/blob/9310b76e368f5...

目次 はじめに Databricks Data + AI Summit とは Keynote 全体感 ...

はじめに カミナシでエンジニアリングマネージャーをしている、すずけん（@szk3）です。自チームのプロダクト「カミナシ 設備保全」には 2 つの AI 機能があり（プレスリリース）、どちらも Amazon Bedrock AgentCore 上のエージェントから同じ LLM モデルを呼び出しています。 リリースからしばらく経つと、「で、それぞれのAI機能でLLMの呼び出しいくらかかってるの？」という当然の疑問が出てきました。ところがこの２つのAI機能は同じLLMモデルを呼び出しており、請求上は合算されるため、機能ごとのコストを切り分けられていませんでした。 この記事では、Amazon Bedr…

By rearchitecting the Images binding, we accidentally uncovered a bug that existed in the open-source hyper library across multiple major versions.

Learn about the progress we’ve made toward our accessibility goals and how you can help make open source more inclusive. The post From pledge to practice: Building a more inclusive open source ecosystem appeared first on The GitHub Blog.

NGINX Ingress Controller 5.5.0 introduced the ExternalAuth Policy. This is the second blog post in a two part series that covers the ExternalAuth Policy, and is focused on a real world use...

Chat SDK now supports Kapso with the new .vendor-official adapterKapso connects your bot to WhatsApp through its hosted platform, handling the WhatsApp Business setup, credentials, and webhooks so you can focus on your bot's logic. Replies use the standard Chat SDK thread and message APIs, with support for buttons and cards, media, reactions, contacts, and conversation history.The adapter maps each WhatsApp conversation to a Chat SDK thread, tied to a specific phone number and contact, and each

Chat SDK now supports Novu with the new .vendor-official adapterOne handler set puts your agent on Slack, Microsoft Teams, WhatsApp, Telegram, and email. Novu handles credentials, identity, and delivery, keeping OAuth and tokens outside your app and mapping each channel to one user. Your agent always knows who they're talking to.Your agent can also send proactive notifications and handle the replies in the same loop, on whichever channel the customer used.One CLI command connects a real channel

Chat SDK now supports Sendblue with the new .vendor-official adapterBuild bots that send and receive iMessage, SMS, and RCS through Sendblue's hosted gateway, reaching people on the messaging apps they already use. Messages use iMessage-first delivery with support for automatic SMS and RCS fallback, tapbacks, typing indicators, and delivery status callbacks.The adapter maps each Sendblue conversation to a Chat SDK thread, tied to a specific phone line and contact (or group), and each inbound iMe

Chat SDK now supports Linq with the new .vendor-official adapterBuild bots that send and receive texts in both direct messages and group chats, with bidirectional media and native iMessage tapback reaction support. Replies use the standard Chat SDK thread and message APIs, with HMAC-verified webhooks and stable threading.The adapter maps each Linq chat to a Chat SDK thread, each text to a message, and each iMessage tapback to a reaction, so subscriptions, handlers, posts, and reactions work the

Sometimes designers have silly ideas that eventually grow on you. That happened to me with this concept where I had to build columns of items moving in opposite directions when a user scrolls the page.CodePen Embed FallbackNote: This …Using Scroll-Driven Animations for Opposing Scroll Directions originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

A tour through Read Committed, Repeatable Read, and Serializable, and why the same three words guarantee completely different things depending on which database you ask.

Cloudflare の Temporary Cloudflare Accounts を使用すると、人間が介入することなく AI エージェントが即座に Cloudflare Workers にデプロイできるようになります。この記事では、Temporary Cloudflare Accounts を使用して実際に Cloudflare Workers にデプロイする方法を試してみます。

At Vercel, feature flags are how we ship. From new features to model updates in v0, and even infrastructure changes like a production database migration where a flag was the cutover. The team alone runs hundreds at any given moment.v0Merging code sends a build to production, but the feature flags control whether users can see what changed. Flags let you ship on your own schedule, release to segments when you're ready, and roll back immediately by toggling a flag, without touching source files or

Learn how to build agent-ready websites using the Lighthouse Agentic browsing category and Chrome DevTools for agents.

コーポレートエンジニアの@sion_cojpです。 コーポレートエンジニアをやってると、コード化できないものも多く、その場合は手順書を残す必要があります。 手順書は 「作業者が、上からなぞって実施していけば誰でも同じ作業になる」ために、見やすく書くノウハウをこの記事では紹介します。 1. 全体の文字数・1文の文字数・画像数をなるべく少なくする 2. インデントは2つまで。最悪3つ目まで 3. 危ない作業は赤文字 + 太文字で 4. 画像を使わず、なるべく文字だけで表現する 5. プロセス図に沿った手順を書く 6. 作業の流れだけを書く。ベストはコピペだけでできるように完結させる 7. 注意点は…

LY Corporationの技術カンファレンス Tech-Verse 2026 の公式記事です。はじめにこんにちは。社内クラウドサービス Verda および社内モニタリングツール IMON に In...

LINEヤフーの技術カンファレンス「Tech-Verse 2026」の公式記事です。こんにちは。AIエージェントで分析を「ひとつなぎ」にするプロジェクト「PJ One Piece」のプロダクトマネージ...

開発者が手作業によるコンテキストスイッチから解放され、Issue ドリブンな開発フローをより滑らかに ...

本記事では、その検証結果を共有します。

Loin des discours habituels sur la productivité, les conférenciers ont abordé la disruption, l'IA fatigue, et la nécessité de repenser nos produits pour un monde où les agents deviennent des utilisateurs à part entière.

Astro 7.0 brings faster builds with Vite 8, a new Rust compiler, Advanced Routing, background dev server support, and structured logging.

Organizations are discovering that AI agent costs are invisible by design. The fix starts earlier in the stack than most teams realize.

The 5 beta now compresses all run, hook, and step inputs and outputs with .Workflow SDKzstdCompression kicks in automatically, but only when it helps. Small payloads stay as-is, larger ones get compressed before they're persisted.Compressed payloads use less storage and are faster to read and write, so your workflows run faster and cost less. The savings are largest for JSON payloads typical of AI conversations, where storage size and cost can drop by up to 85%.One typical Workflow, run and stor

You can now generate signed URLs for Vercel Blob directly from the Vercel CLI. A signed URL is a scoped URL with a set expiration time that lets you perform a single operation on a specific object. Each URL is scoped to one operation (, , , or ), one pathname, and a custom expiry of up to 7 days. Update the Vercel CLI to version to get started.getheadputdelete5.14.5Use the new command to sign a URL for a single operation, for example to provide short-lived access to a private file or to allow yo

Hobby users can now connect up to 25 projects per repository, up from 10. This makes it easier for users to onboard monorepos and use cases where one codebase maps to many deployable apps.Learn more about .repository connection limitsRead more

Vercel Functions can now serve WebSocket connections, enabling bidirectional communication between clients and server-side code on Vercel.Use WebSockets for realtime features such as interactive AI streaming, chat, and collaborative apps.WebSocket connections run on and follow the same and as other Function invocations. With , billing only applies to the time your Function spends processing messages, not idle connection time.Fluid computelimitspricingActive CPU pricingYou can serve WebSocket con

Sakana Fugu Ultra from Sakana AI is now available on .AI GatewayFugu Ultra is built on a pool of publicly accessible frontier models, rather than running as a single model. It coordinates several models, routing work to 1-3 agents depending on the problem and combining their results into a single answer.Based on reasoning and scientific benchmarks, Fugu Ultra has capabilities similar to those of Claude Mythos Preview and Fable 5.To use Fugu Ultra, set to in :modelsakana/fugu-ultraAI SDKAI Gatewa

<p><a href="https://sqlite-utils.datasette.io/en/latest/">sqlite-utils</a> is my combined Python library and CLI tool for working with SQLite databases. It provides an extensive set of higher-level operations on top of Python's default <a href="https://docs.python.org/3/library/sqlite3.html">sqlite3 package</a>, including support for <a href="https://sqlite-utils.datasette.io/en/latest/cli.html#transforming-tables">complex table transformations</a>, aut...

<p><strong>Release:</strong> <a href="https://github.com/simonw/sqlite-utils/releases/tag/4.0rc1">sqlite-utils 4.0rc1</a></p> <p>See <a href="https://simonwillison.net/2026/Jun/21/sqlite-utils-40rc1/">sqlite-utils 4.0rc1 adds migrations and nested transactions</a>.</p> <p>Tags: <a href="https://simonwillison.net/tags/sqlite-utils">sqlite-utils</a></p>

<p><strong><a href="https://blog.cloudflare.com/temporary-accounts/">Temporary Cloudflare Accounts for AI agents</a></strong></p>The announcement says this is "for AI agents" but (as is pretty common these days) the AI hook isn't really necessary, this is an interesting feature for everyone else as well.</p><p>Short version: you can now create a Cloudflare Workers project and run this, without even creating a Cloudflare account:</p><pre&g...

Codex の Record & Replay は macOS 上でのユーザーの操作を実演することで再利用可能なスキルに変換する機能です。例えば経費精算の提出や勤怠アプリへの打刻や工数入力、定期的なレポートの作成などをスキルとして記録し、煩雑な定型業務を AI に任せることが期待できます。この記事では、Record & Replay を実際に試してみた様子を紹介します。

GitHub Actions checkout now blocks risky pull_request_target checkouts by default to help prevent pwn request supply chain attacks.

Vercel が新しい AI エージェントフレームワーク eve を発表しました。Next.js の設計思想に基づいて構築された eve は、AI エージェントの開発に必要な機能がすべて揃ったフレームワークです。この記事では、eve を使って簡単なエージェントを作成し、実行する方法を紹介します。

<blockquote cite="https://news.ycombinator.com/item?id=48592163#48593190"><p>The real valuable capability MCP offers over skills/CLI is isolating the auth flow outside of the agent’s context window, and potentially out of the harness completely. [...]</p><p>Maybe the idealized form of MCP is just an auth gateway for the API and nothing else. That’d still be a win.</p></blockquote><p class="cite">— <a href="https://news.ycombinator.com/item?...

Socket now supports Custom Roles and Repository Access Permissions so organizations can control who can access specific repositories and actions.

Qubot, our internal Copilot-powered analytics agent, allows any GitHub employee to ask questions about our data in plain language. Here's what we learned as we built it.The post How we built an internal data analytics agent appeared first on The GitHub Blog.

View Transitions are of unique help in applying an animation to an element even when you are literally removing it from the DOM.

Let's poke at the differences between scroll-driven and scroll-triggered animations.A First Look at Scroll-Triggered Animations originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

The moment an agent needs to deploy something, it slams face-first into a wall built for humans. Today we're rolling out Temporary Accounts on Cloudflare Workers. Any agent can now run wrangler deploy — temporary and get a live Worker in seconds.

HyperblamHeydon Pickering has been very busy building out a declarative, web component-based system for making music with HTML, along with a stunning companion site.Web browsers on video game consolesA thoroughly fascinating read.Standard ReaderThis is a really nice RSS reader-like standard.site reader.How building an HTML-first site doubled our users overnightWe challenged Alistair to write this and boy, did they deliver!An in-depth guide to customising lists with CSSHere's one from the Piccali

2026年6月29日（月）、技術カンファレンス「Tech-Verse 2026」（以下、本カンファレンス）を、オンラインにて開催いたします。本カンファレンスは、LINEヤフーおよび海外法人を含むグルー...

Like RSS and Google Reader.

The framework wars taught us that the winning layer often does less. The same pattern is emerging for AI agents, where narrow agents need meta harnesses above them.

How SAML attribute mapping works, how to configure it in Okta and Microsoft Entra ID, and how to map user roles, groups, and custom claims to your application.

<p>Today we launched a new plugin for Datasette, <a href="https://github.com/datasette/datasette-apps">datasette-apps</a>, with <a href="https://datasette.io/blog/2026/datasette-apps/">this launch announcement post</a> on the Datasette project blog. That post has the <em>what</em>, but I'm going to expand on that a little bit here to provide the <em>why</em>.</p><h4 id="the-tl-dr">The TL;DR</h4><p>Datasette Apps are s...

Socket MCP now lets AI assistants review org alerts, investigate threats using the Socket threat feed, and inspect package files in addition to dependency scoring.

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-acl/releases/tag/0.6a0">datasette-acl 0.6a0</a></p> <blockquote><p>This release expands <code>datasette-acl</code> from table-only permissions toward a general resource-sharing system.</p></blockquote><p>Alex Garcia did most of the work for this release - we're fleshing out the plugin that will allow multi-user Datasette instances finely grai...

We break down the technical architecture behind our multi-stage vulnerability discovery harness and automated triage loop. Learn how we manage state controls, squash false positives through adversarial review, and route around LLM context limits.

Learn how pull request limits can help manage contribution volume in your repositories, and see what’s next on the roadmap.The post How pull request limits are cutting down the noise appeared first on The GitHub Blog.