Using CSS animations as state machinesExtremely clever stuff from Patrick here!Endgame for the open webAnil articulates the reality of the open web really well and gives us pragmatic advice of what we can tangibly do to protect if from the vultures in the tech industry.Checking if a movie has a post or mid credit sceneA very cool tool (and write up) that's surprisingly simple.EZ-TreeNeed to procedurally generate trees? Don't slop it and use this tool instead.Wind Waker JSOne for the Zelda fans o

A quick but important reminder that font-family declarations don’t inherit fallback stacks the way many developers assume.

HTML in Canvas API は WICG で提案されている API で、Canvas 内に直接 HTML を描画できるようにするものです。現在の `` 要素にはリッチテキストや HTML コンテンツを描画する標準的な方法が存在しないという課題があります。この記事では HTML in Canvas の使用方法やユースケースについて説明します。

Neovim 0.12 ships a native UI2 layer that covers most of what noice.nvim provided. Here's what I replaced, what I kept, and what changed.

Open source is under attack because of how much value it creates. It has been the foundation of every major software innovation for the last three decades. This is not the time to walk away from it.

要約 3回目に権限をリクエストしたときにダイアログが出ないのは仕様です。権限ダイアログを出すのは諦め ...

Learn how to use lazy loading without hurting web performance. This article explains when lazy loading improves performance, when it backfires, and how it impacts Core Web Vitals like LCP, CLS, and INP — with practical patterns and real-world pitfalls.

Explore key CI/CD security trends for 2024, including shifts to modern platforms, third-party component risks, rising security incidents, and the growing need for secure pipelines. Learn how to protect your organization from evolving threats in the CI/CD landscape.

Hi, I’m a backend engineer on the Bucketeer ...

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/github-repo-size">GitHub Repo Size</a></p> <p>GitHub doesn't tell you the repo size in the UI, but it's available in the CORS-friendly <a href="https://api.github.com/repos/simonw/datasette">API</a>. Paste a repo into this tool to see the size, <a href="https://tools.simonwillison.net/github-repo-size?repo=simonw%2Fdatasette">for example for simonw/datasette</a> (...

Your developer machine is running AI agents, MCP servers, IDE extensions, and hundreds of packages. Do you know which ones? Now there's a free, open-source way to find out.

Datadog's State of DevSecOps 2026 report confirms what StepSecurity has been warning about for years: CI/CD pipelines and GitHub Actions are prime targets for supply chain attacks. Learn how StepSecurity's platform directly mitigates every major risk identified in the report, from unpinned actions to day-of-release dependencies.

A week-long automated attack campaign targeted CI/CD pipelines across major open source repositories, achieving remote code execution in at least 4 out of 5 targets. The attacker, an autonomous bot called hackerbot-claw, used 5 different exploitation techniques and successfully exfiltrated a GitHub token with write permissions from one of the most popular repositories on GitHub. This post breaks down each attack, shows the evidence, and explains what you can do to protect your workflows.

AI coding agents install packages, create pull requests, push commits, and run autonomously in CI/CD pipelines. Here's how to secure every stage of that workflow

How StepSecurity delivers real-world protection across all critical pillars identified in Wiz's SDLC Infrastructure Threat Framework (SITF)

記事は ics.media へアクセスしてご覧ください。

Share Tailwind v4 design tokens across multiple apps in a pnpm + Nx monorepo using a shared styles package and automated @source directives.

Let's take a look at what SVG filters are and the basics of how they work.

A clever approach for selecting multiple dates on a calendar where the :nth-child()'s “n of selector” syntax does all the heavy lifting... even in the JavaScript.Selecting a Date Range in CSS originally published on CSS-Tricks, which is part of the DigitalOcean family. You should get the newsletter.

Planning is now done, so now it's time to get stuck into a basic version of my website. It's important to do this part well because even though the UI is incredibly temporary, the system behind it is not, so we want to make sure our foundations are solid.I say a HTML-only build but I'm talking rubbish there. I'll mostly only be writing HTML (via Astro components) here, but there is CSS. Over the last couple of years at the studio we've been trying to "solve" global styles. We repeat ourselves ov

Claude Managed Agents は Claude を自律的なエージェントとして動作させるためのハーネスとインフラストラクチャーを提供します。長時間かかるタスクや非同期のタスクを実行するために使用するのが想定されています。この記事では実際に Claude Managed Agents を試してみた内容を紹介します。

A registry-only supply chain attack on @velora-dex/sdk delivers an architecture-aware macOS backdoor that fires the moment your code imports the package. No install hooks, no repo commits, no visible output.

Introducing Supabase Agent Skills: an open-source set of instructions that teach AI coding agents how to build on Supabase correctly.

こんにちは。AI LabチームのHan Kil Roです。サービスに必要なAIモデルやソリューションを開発するチームで業務に携わっています。最近、LINEヤフー社内で実施された Orchestrati...

<p><strong>Release:</strong> <a href="https://github.com/simonw/asgi-gzip/releases/tag/0.3">asgi-gzip 0.3</a></p> <p>I ran into trouble deploying a new feature using <a href="https://developer.mozilla.org/en-US/docs/Web/API/Server-sent_events">SSE</a> to a production Datasette instance, and it turned out that instance was using <a href="https://github.com/simonw/datasette-gzip">datasette-gzip</a> which uses <a href="https://gi...

In March, we experienced four incidents that resulted in degraded performance across GitHub services.The post GitHub availability report: March 2026 appeared first on The GitHub Blog.

こんにちは、PR TIMESでインターンをしている工藤（@k8035004287922）です。 今回は、社内の一部部署で必須運用されていたGmail送信前の誤送信確認用Chrome拡張を、社内要件に合わせて内製した取り組 […]

この記事は、合併前の旧ブログに掲載していた記事（初出：2020年9月8日）を、現在のブログへ移管したものです。現時点の情報に合わせ、表記やリンクの調整を行っています。こんにちは、お久しぶりです。岡部和...

AI事業本部 アドテクカンパニー Dynalystに所属している平田聡一朗と申します。本記事ではSt ...

Whether or not you read the code, it's gotta be ert

Fixes 120 issues (addressing 219 👍). Render Markdown in the terminal with bun ./file.md, Bun.WebView headless browser automation, in-process Bun.cron() scheduler, async stack traces for native errors, 2.3x faster URLPattern, 2x faster Bun.Glob.scan, cgroup-aware parallelism on Linux, and many bugfixes and Node.js compatibility improvements.

A new world for security-critical projects

Slack, Notion, and Linear each take a different approach to per-tenant roles and permissions. Here are the patterns worth stealing for your own app.

Master secure authentication in Node.js from Passport.js and JWTs to enterprise SSO, with production-ready patterns and security best practices.

How attackers turn legitimate consent prompts into persistent backdoors, and what your team can do about it.

A deep dive into the FIDO2/WebAuthn protocol mechanics that tie every passkey to a specific domain, making credential theft physically impossible at the cryptographic layer.

<p>Meta <a href="https://ai.meta.com/blog/introducing-muse-spark-msl/">announced Muse Spark</a> today, their first model release since Llama 4 <a href="https://simonwillison.net/2025/Apr/5/llama-4-notes/">almost exactly a year ago</a>. It's hosted, not open weights, and the API is currently "a private API preview to select users", but you can try it out today on <a href="https://meta.ai/">meta.ai</a> (Facebook or Instagram login required).</p><...

Keith Cirkel has been building some interesting and educational web games lately:

Socket CEO Feross Aboukhadijeh breaks down how North Korea hijacked Axios and what it means for the future of software supply chain security.

Safari Technology Preview Release 241 is now available for download for macOS Tahoe and macOS Sequoia.

OpenSSF has issued a high-severity advisory warning open source developers of an active Slack-based campaign using impersonation to deliver malware.

Get inspired by five of the most memorable, magical, and quirky Universe sessions to date.The post GitHub Universe is back: We want you to take the stage appeared first on The GitHub Blog.

<blockquote cite="https://gilest.org/notes/2026/human-ai/"><p>I have a feeling that <strong>everyone likes using AI tools to try doing someone else’s profession</strong>. They’re much less keen when someone else uses it for their profession.</p></blockquote><p class="cite">— <a href="https://gilest.org/notes/2026/human-ai/">Giles Turnbull</a>, AI and the human voice</p> <p>Tags: <a href="https://simonwillison.net/tag...

By applying symbolic execution and the Z3 theorem prover to BPF bytecode, we’ve automated the generation of malware trigger packets, cutting analysis time from hours to seconds.

デザインデータ（Figma）v2.12.0を公開しました。

Material UI v9.0 for developers: theming, accessibility, keyboard navigation, performance, and new Base UI-powered additions.

Introducing Material UI + MUI X v9: unified major version, new foundations, advanced components, and AI-native workflows.

MUI X Charts v9.0, keyboard-first by default, composition and codemods, Pro and Premium updates (heatmap, Sankey, export, WebGL).

An early look at MUI X Chat v9 alpha: ChatBox, adapters and streaming, and how it fits AI-native workflows across the stack.

MUI X Data Grid v9.0: stronger dynamic data and lazy loading, stable Charts in the grid, and AI Assistant with Console and bring your own key.

An early look at MUI X Scheduler v9 alpha: event and resource planning, calendar and timeline views, Community vs Premium, and how it fits the advanced stack.

Tree View and Date and Time Pickers in MUI X v9: virtualization-by-default trees, picker field and focus ergonomics, locales, and migration-oriented cleanups.

Get a preview of the next Chrome release with this post detailing the features in the current beta.

We're launching a new appeals process in the Chrome Web Store.

Connect any OpenID Connect identity provider to your Supabase project: GitHub Enterprise, regional providers, and more.

こんにちは。newmo 自動運転開発室のyui_tangです。 先日、自動運転開発室のオンボーディングと技術理解の共有を目的として、JetRacer を用いた社内ハッカソン合宿「ロボライダー」を開催しました。合宿の様子や背景は note に まとめています。 👉 note.com 本記事ではイベントレポートではなく、合宿で再現した開発サイクルと、実機を扱う際に 顕在化した課題を書き記します。 小さくしても、問題は小さくならない JetRacer は NVIDIA Jetson を搭載した小型の自律走行車プラットフォームです。カメラ 画像を入力としてニューラルネットワークが操舵角とスロットル値を…

デザインシステムを Skills にしたら使いやすくなったサイボウズのプロダクトである kintone では、社内向けに kintone Design System と呼ばれるデザインシステムが提供されています。https://note.com/amishiratori/n/n0d8467106f27AI Agent を用いた開発向けに、このデザインシステムの Skills 化を試みたところ、提供側・利用側ともに非常に取り回しやすい形となったため、事例として紹介します。 デザインシステム x MCPデザインシステムをコーディング用の AI Agent から活用する際、一例...

You may have spotted that MDN has a new frontend. There's plenty happening under the surface, so let's unpack the technologies we chose, the architectural decisions we made, and why we did a rebuild at all.

NIST published a concept paper stating, “Organizations need to understand how identity principles such as identification, authentication, and authorization can apply to agents to provide appropriate protections while enabling business value.”This post, and the series that follows, is 1Password’s response to NIST’s call for input on how those principles should apply to agents.At 1Password, we approach security through simplicity. We are developing an agent identity architecture to simplify and en

Evil Martians migrated Wallarm's core event pipeline from NATS to Kafka in two months with zero downtime. Learn how we also handle event deduplication and reconstruct business flows for better understanding of the application.

When AI-powered coding meets punch-card era technology

Webpack 5.106

What to use when your B2B auth needs outpace PropelAuth.

30 CVEs in 60 days, a backdoored npm package stealing emails, and a hosting platform flaw that put 3,000 servers at risk. Here's how to secure the supply chain your AI agents depend on.

A complete breakdown of one of the most dangerous JWT vulnerabilities, from the cryptographic mechanics to the defensive code patterns that stop it.

Malicious packages published to npm, PyPI, Go Modules, crates.io, and Packagist impersonate developer tooling to fetch staged malware, steal credentials and wallets, and enable remote access.

<p><strong><a href="https://z.ai/blog/glm-5.1">GLM-5.1: Towards Long-Horizon Tasks</a></strong></p>Chinese AI lab Z.ai's latest model is a giant 754B parameter 1.51TB (on <a href="https://huggingface.co/zai-org/GLM-5.1">Hugging Face</a>) MIT-licensed monster - the same size as their previous GLM-5 release, and sharing the <a href="https://huggingface.co/papers/2602.15763">same paper</a>.</p><p>It's available <a href="htt...

Recent advances in quantum hardware and software have accelerated the timeline on which quantum attack might happen. Cloudflare is responding by moving our target for full post-quantum security to 2029.

NGINX Ingress Controller lets you define IP-based access rules once in a Policy resource and apply them consistently across your Ingress traffic paths. Across this blog, we’re focused on: Why Use a Policy for Access Control? Many teams manage IP restrictions through cloud firewalls or raw NGINX config snippets and quickly end up with drift. […]

<p>Anthropic <em>didn't</em> release their latest model, Claude Mythos (<a href="https://www-cdn.anthropic.com/53566bf5440a10affd749724787c8913a2ae0841.pdf">system card PDF</a>), today. They have instead made it available to a very restricted set of preview partners under their newly announced <a href="https://www.anthropic.com/glasswing">Project Glasswing</a>.</p><p>The model is a general purpose model, similar to Claude Opus 4.6, but Anthr...

Hijacked maintainer account used to publish poisoned axios releases including 1.14.1 and 0.30.4. The attacker injected a hidden dependency that drops a cross platform RAT. We are actively investigating and will update this post with a full technical analysis.

Microsoft has released an open source toolkit for enforcing runtime security policies on AI agents as adoption accelerates faster than governance controls.

<p><strong>Research:</strong> <a href="https://github.com/simonw/research/tree/main/sqlite-wal-docker-containers#readme">SQLite WAL Mode Across Docker Containers Sharing a Volume</a></p> <p>Inspired by <a href="https://news.ycombinator.com/item?id=47637353">this conversation</a> on Hacker News about whether two SQLite processes in separate Docker containers that share the same volume might run into problems due to WAL shared memory. The answ...

If we give a `container-name` to the root of all our unique components, we can scope styles to them with a simple @container query.

Cascade layers, specificity tricks, smarter ordering, and even some clever selector hacks can often replace !important with something cleaner, more predictable, and far less embarrassing to explain to your future self.Alternatives to the !important Keyword originally published on CSS-Tricks, which is part of the DigitalOcean family. You should get the newsletter.

Designing for agentic AI requires attention to both the system’s behavior and the transparency of its actions. Between the black box and the data dump lies a more thoughtful approach. Victor Yocco explores how to map decision points and reveal the right moments to build trust through clarity, not noise.

Element-scoped view transitions, CSS contrast-color(), and the border-shape property.

Automatic context switching for AI assistance, Updates for DevTools for agents, and code completion for Console and Sources panels.

こんにちは。ソフトウェアエンジニアの眞井です。私はこれまでアーキテクトとして、検索連動型ショッピング広告のレポートシステムに関連する2つの新規システム開発や、その他数多くの機能追加に携わってきました。...

21% revenue growth. Everyone's building AI agents and internal tools. You should deploy them on Val Town

プロダクトマネージャやデザイナもAIでプルリクエストを作成できるプロセスを作ろう こんにちは。息子と『ドラベース』を読みはじめた daipresents です。トンボール投げたい！ カミナシでは「カミナシ 教育」と「カミナシ 従業員」のマネージャを担当しております。 前回、月1回のオンサイトにおける取り組みを紹介させていただきました。 参考： エンジニアじゃない人でもAIを使えば開発貢献できるんじゃないの？イベントを開催してみた こちらについては、プロダクトマネージャやプロダクトデザイナの評価はとても高く、「もっとやりたい！」、「リリースしたい！」と、みんな開発に対する意気込みを表明してくれま…

In the early hours of April 7th, nearly 100 Magento stores got mass-infected with a "double-tap" skimmer: a credit card stealer hidden inside an invisible SVG element. Sansec found stolen...

OpenTelemetry instrumentation, non-blocking scrypt, passkey pre-auth registration, SAML hardening, a new release workflow, and more.

Symmetric vs asymmetric JWT signatures: how each algorithm works, when to use which, and the security tradeoffs every developer should know

A 2026 guide to the leading IAM solutions for SaaS teams, with a breakdown of features, pricing, and trade-offs to help you choose the right provider and start closing enterprise deals faster.

Your users enable multi-factor authentication, use strong passwords, and follow every security best practice you recommend. But none of it matters if an attacker is sitting between them and your login page, relaying traffic in real time and walking away with a valid session cookie.

Today we are excited to release React Native 0.85!

Component-driven development for humans and agents

Discover how Rubber Duck provides a different perspective to GitHub Copilot CLI. The post GitHub Copilot CLI combines model families for a second opinion appeared first on The GitHub Blog.

Cloudflare Organizations is now in public beta, introducing a new management layer for enterprise customers with multiple accounts. Learn how we consolidated our authorization systems to enable org-wide management.

StepSecurity's AI Package Analyst and Harden-Runner detected the compromise of axios, the largest npm supply chain attack on a single package by download count, before any public disclosure existed. What followed was a race against a state-sponsored threat actor who actively deleted GitHub issues to suppress the warning, a decision to host a community call at midnight that drew 200 attendees, and coverage from Bloomberg to Andrej Karpathy

How does AI actually remember things between messages, and why does it forget halfway through? I ran a few experiments on Claude Sonnet and GPT-5 and wrote down what I saw.

Chrome 145 introduces the column-height and column-wrap properties, enabling us to wrap the additional content into a new row below, creating a vertical scroll instead of a horizontal scroll.Looking at New CSS Multi-Column Layout Wrapping Features originally published on CSS-Tricks, which is part of the DigitalOcean family. You should get the newsletter.

We can make puzzle pieces in CSS thanks to the amazing clip-path: shape(). Here, Amit takes it further by making a whole grid of them with matched edges and content inside.

目次 はじめに 課題と前提 Weighted Backend Service によるルーティング制御 ...

<p><strong><a href="https://apps.apple.com/nl/app/google-ai-edge-gallery/id6749645337">Google AI Edge Gallery</a></strong></p>Terrible name, really great app: this is Google's official app for running their Gemma 4 models (the E2B and E4B sizes, plus some members of the Gemma 3 family) directly on your iPhone.</p><p>It works <em>really</em> well. The E2B model is a 2.54GB download and is both fast and genuinely useful.</p><p&g...

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-ports/releases/tag/0.2">datasette-ports 0.2</a></p> <blockquote><ul><li>No longer requires Datasette - running <code>uvx datasette-ports</code> now works as well.</li><li>Installing it as a Datasette plugin continues to provide the <code>datasette ports</code> command.</li></ul></blockquote> <p>Tags: <a ...

<p><strong>Release:</strong> <a href="https://github.com/simonw/scan-for-secrets/releases/tag/0.3">scan-for-secrets 0.3</a></p> <blockquote><ul><li>New <code>-r/--redact</code> option which shows the list of matches, asks for confirmation and then replaces every match with <code>REDACTED</code>, taking escaping rules into account.</li><li>New Python function <code>redact_file(file_path: str | Path, s...

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/cleanup-claude-code-paste">Cleanup Claude Code Paste</a></p> <p>Super-niche tool this. I sometimes copy prompts out of the Claude Code terminal app and they come out with a bunch of weird additional whitespace. This tool cleans that up.</p><p><img alt="Screenshot of a web tool titled "Cleanup Claude Code Paste" with the subtitle "Paste terminal o...

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-ports/releases/tag/0.1">datasette-ports 0.1</a></p> <p>Another <a href="https://gisthost.github.io/?f92d8a6bdadee1c77972b5e51954144e">example</a> of README-driven development, this time solving a problem that might be unique to me.</p><p>I often find myself running a bunch of different <a href="https://datasette.io">Datasette</a> instances wi...

Learn what's new in the world of slow tests and how TestProf continues to help Rails teams to keep CI build times under control.

From forged assertions to memory leaks, SAML's XML foundations keep producing serious bugs. Here's what happened and what you should be doing about it.

Most AI agents run with borrowed sessions and far more access than they need. Here's how to replace that with scoped, revocable credentials and tool-level authorization.

<p><strong><a href="https://lalitm.com/post/building-syntaqlite-ai/">Eight years of wanting, three months of building with AI</a></strong></p>Lalit Maganti provides one of my favorite pieces of long-form writing on agentic engineering I've seen in ages.</p><p>They spent eight years thinking about and then three months building <a href="https://github.com/lalitMaganti/syntaqlite">syntaqlite</a>, which they describe as "<a href="https...

AIがコードを書く時代、QAはどう変わるべきか？ Claude Code、Devin、Cursorと ...

<blockquote cite="https://twitter.com/cpmou2022/status/2040606209800290404"><p>From anonymized U.S. ChatGPT data, we are seeing:</p><ul><li>~2M weekly messages on health insurance</li><li>~600K weekly messages [classified as healthcare] from people living in “hospital deserts” (30 min drive to nearest hospital)</li><li>7 out of 10 msgs happen outside clinic hours</li></ul></blockquote><p class="cite">— <a...

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/syntaqlite">Syntaqlite Playground</a></p> <p>Lalit Maganti's <a href="https://github.com/LalitMaganti/syntaqlite">syntaqlite</a> is currently being discussed <a href="https://news.ycombinator.com/item?id=47648828">on Hacker News</a> thanks to <a href="https://lalitm.com/post/building-syntaqlite-ai/">Eight years of wanting, three months of building with AI&lt...

<p><strong>Release:</strong> <a href="https://github.com/simonw/scan-for-secrets/releases/tag/0.2">scan-for-secrets 0.2</a></p> <ul><li>CLI tool now streams results as they are found rather than waiting until the end, which is better for large directories.</li><li><code>-d/--directory</code> option can now be used multiple times to scan multiple directories.</li><li>New <code>-f/--file</code> option ...

<p><strong>Release:</strong> <a href="https://github.com/simonw/scan-for-secrets/releases/tag/0.1.1">scan-for-secrets 0.1.1</a></p> <blockquote><ul><li>Added documentation of the escaping schemes that are also scanned.</li><li>Removed unnecessary <code>repr</code> escaping scheme, which was already covered by <code>json</code>.</li></ul></blockquote>

<p><strong>Release:</strong> <a href="https://github.com/simonw/scan-for-secrets/releases/tag/0.1">scan-for-secrets 0.1</a></p> <p>I like publishing transcripts of local Claude Code sessions using my <a href="https://github.com/simonw/claude-code-transcripts">claude-code-transcripts</a> tool but I'm often paranoid that one of my API keys or similar secrets might inadvertently be revealed in the detailed log files.</p><p>I built t...

コーディングエージェントの自動承認の範囲をどこまで許可するかは、ユーザー体験とセキュリティのバランスを取る上で重要な設計指針の1つです。Codex ではサンドボックス機能を提供することで、エージェントが安全に自律的に動作できる環境を実現しています。この記事では、Codex のサンドボックスの仕組みと、サンドボックス外でコマンドを実行する際の承認プロセスについて説明します。

<p><strong>Release:</strong> <a href="https://github.com/simonw/research-llm-apis/releases/tag/2026-04-04">research-llm-apis 2026-04-04</a></p> <p>I'm working on a <a href="https://github.com/simonw/llm/issues/1314">major change</a> to my LLM Python library and CLI tool. LLM provides an abstraction layer over hundreds of different LLMs from dozens of different vendors thanks to its plugin system, and some of those vendors have grown new feat...

スケルトンローダーは、コンテンツが読み込まれる前に表示されるプレースホルダーで、ユーザーに対して読み込み中であることを視覚的に示すためのものです。Boneyard はスケルトンローダーの手動の計測と更新の手間を解消するためのフレームワークです。この記事では、Boneyard を使用してスケルトンローダーを簡単に実装する方法について説明します。

<blockquote cite="https://twitter.com/kdaigle/status/2040164759836778878"><p>[GitHub] platform activity is surging. There were 1 billion commits in 2025. Now, it's 275 million per week, on pace for 14 billion this year if growth remains linear (spoiler: it won't.)</p><p>GitHub Actions has grown from 500M minutes/week in 2023 to 1B minutes/week in 2025, and now 2.1B minutes so far this week.</p></blockquote><p class="cite">— <a href="https:/...

<p><strong><a href="https://sockpuppet.org/blog/2026/03/30/vulnerability-research-is-cooked/">Vulnerability Research Is Cooked</a></strong></p>Thomas Ptacek's take on the sudden and enormous impact the latest frontier models are having on the field of vulnerability research.</p><blockquote><p>Within the next few months, coding agents will drastically alter both the practice and the economics of exploit development. Frontier model improvement...

<p>A fun thing about <a href="https://simonwillison.net/2026/Apr/2/lennys-podcast/">recording a podcast</a> with a professional like Lenny Rachitsky is that his team know how to slice the resulting video up into TikTok-sized short form vertical videos. Here's <a href="https://x.com/lennysan/status/2039845666680176703">one he shared on Twitter today</a> which ended up attracting over 1.1m views!</p><p><video src="https://static.simonwillison.net/stati...

<blockquote cite="https://lwn.net/Articles/1065620/"><p>On the kernel security list we've seen a huge bump of reports. We were between 2 and 3 per week maybe two years ago, then reached probably 10 a week over the last year with the only difference being only AI slop, and now since the beginning of the year we're around 5-10 per day depending on the days (fridays and tuesdays seem the worst). Now most of these reports are correct, to the point that we had to bring in more maintainer...

<blockquote cite="https://mastodon.social/@bagder/116336957584445742"><p>The challenge with AI in open source security has transitioned from an AI slop tsunami into more of a ... plain security report tsunami. Less slop but lots of reports. Many of them really good.</p><p>I'm spending hours per day on this now. It's intense.</p></blockquote><p class="cite">— <a href="https://mastodon.social/@bagder/116336957584445742">Daniel Stenberg<...

<blockquote cite="https://www.theregister.com/2026/03/26/greg_kroahhartman_ai_kernel/"><p>Months ago, we were getting what we called 'AI slop,' AI-generated security reports that were obviously wrong or low quality. It was kind of funny. It didn't really worry us.</p><p>Something happened a month ago, and the world switched. Now we have real reports. All open source projects have real reports that are made with AI, but they're good, and they're real.</p></blockq...

Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.

デフォルトの `workspace-write` サンドボックスではネットワークアクセスは無効です。外部通信を許可したい場合は、`config.toml` で明示的に有効にします。

<p><strong>Research:</strong> <a href="https://github.com/simonw/research/tree/main/test-csp-iframe-escape#readme">Can JavaScript Escape a CSP Meta Tag Inside an Iframe?</a></p> <p>In trying to build my own version of Claude Artifacts I got curious about options for applying CSP headers to content in sandboxed iframes without using a separate domain to host the files. Turns out you can inject <code><meta http-equiv="Content-Security-Policy"...

The path to better performance is often found in simplicity.The post The uphill climb of making diff lines performant appeared first on The GitHub Blog.

コーディングエージェントに多く承認を求められると、本当に確認が必要なコマンドの実行を見落とす確率が高まります。Codex には `smart_approvals` という設定があります。これは承認が必要になったとき、その一部をそのままユーザーに投げるのではなく、まず `guardian reviewer` というサブエージェント経由で扱うための実験的な機能です。

Codex では `hooks` を使って、特定のタイミングで任意のコマンドを実行できます。例えば応答が終わるたびに通知したい場合は `Stop hook` を使います。