rollback

The engineering internet, daily.

A short scroll of what's worth your attention across blogs, github, AI labs, and the wider tech world. New batch every morning.

subscribe via rss
today52026-07-17
yesterday72026-07-16
github.com
systems

llama.cpp b10043 adds cuda virtual devices support

the cuda backend can now expose virtual devices, splitting one physical gpu into multiple logical ones. the build disables the nccl multi-gpu path while virtual devices are in use to avoid conflicts.

github.com
ai

openai codex 0.144.5 hardens dangerous-command detection

the codex cli stable release widens its blocklist for risky shell commands, catching more forced rm variants, and gives clearer feedback when it refuses to run a command.

github.com
ai

ollama 0.32.1 improves gemma 4 tool calling and fixes an mlx cache leak

the pre-release sharpens gemma 4 tool calling and multi-turn reasoning with more reliable tool-response continuations, and fixes a recurring mlx model cache leak that grew memory use across requests.

github.com
oss

n8n 2.31.2 requires an execution mode for mcp workflow runs

the patch makes mcp workflow executions specify an execution mode instead of defaulting silently, and fixes a regression that changed the width of every dropdown in the editor ui.

github.com
oss

ruff 0.15.22 adds noqa-modernizing preview rules and an e402 autofix

the release ships preview rules ruf105 and ruf106 for cleaning up noqa comments plus ruf201 for readable config selectors, adds an autofix for pycodestyle's e402, and speeds up lexing and parsing.

github.com
systems

tokio 1.52.4 fixes a runtime driver skip when before_park schedules work

the patch fixes a runtime bug where the io driver could skip a cycle if the before_park hook scheduled new work, so that work no longer stalls until the next wakeup. it also cleans up taskdump output.

github.com
oss

pnpm 11.13.1 fixes pnpm pack ignoring package-level .npmignore

the patch makes pnpm pack respect a package's own .npmignore instead of the workspace root rules, improves visibility of the minimumreleaseage approval prompt, and fixes self-update linking native binaries.

fri jul 1052026-07-10
tue jul 752026-07-07
bleepingcomputer.com
systems

adobe coldfusion max-severity rce cve-2026-48282 now exploited in the wild

attackers began hitting cve-2026-48282, a max-severity unauthenticated path-traversal rce in adobe coldfusion, within hours of public disclosure. shadowserver tracks nearly 800 exposed instances and adobe urges admins to patch within 72 hours.

thehackernews.com
web

china-aligned hackers exploit roundcube flaws at us and canadian universities

proofpoint says a china-aligned cluster it tracks as unk_masstraction chained roundcube flaws cve-2024-42009 and cve-2025-49113 to steal credentials and drop the vshell tool, hitting physics and engineering departments with national-security ties.

theregister.com

uk cyber resilience pledge lands 60 signatories including m&s and capita

marks & spencer and 59 other organisations signed the uk government's new voluntary cyber resilience pledge, committing to board-level security ownership, enrolling in ncsc early warning, and pushing suppliers toward cyber essentials.

cnbc.com
ai

chinese open models gain us ground as openai and anthropic costs surge

cnbc reports us firms now route 30 to 46 percent of openrouter tokens through chinese open models that run 60 to 90 percent cheaper. lindy shifted 100 percent of its traffic off claude to deepseek, citing costs crashing to the ground.

github.com
ai

llama.cpp build b9894 fixes a vulkan set_rows f16 crash

the inference engine tags build b9894 with a vulkan fix that checks the src0 type in ggml_op_set_rows to avoid failures from unimplemented f16 support, one of several builds cut through the day.

mon jul 672026-07-06
github.com
infra

apache airflow 3.3.0 ships asset partitioning and a task state store

airflow 3.3.0 adds partition mappers that fan asset events out to downstream runs, a first-class task and asset state store that survives retries, pluggable retry policies, and an experimental language task sdk for writing tasks in java and go.

github.com
infra

terraform 1.16 alpha adds an ephemeral store block to terraform_data

the first 1.16 alpha lands a store block in terraform_data for ephemeral and sensitive values, resource action failure modes (halt, taint, continue), json output for state show and workspace list, mermaid graph export, and linux s390x builds.

github.com
databases

meilisearch 1.49 makes synonym storage up to 13x cheaper

meilisearch 1.49.0 loads synonyms lazily, only when a word actually matches one, instead of holding them all in memory. that cuts synonym storage cost by up to 13x on synonym-heavy indexes, with openapi and workflow fixes alongside.

github.com
ai

llama.cpp b9885 enables tiled matmul on aix for ~2x cpu throughput

build b9885 turns on the tiled matmul path for ibm aix while shrinking its stack buffer to avoid segfaults, roughly doubling prompt-processing speed for fp32, q4_0, and q8_0 models on that platform.

github.com
ai

localai 4.6.1 adds a model-capabilities endpoint and quiets oidc logs

localai 4.6.1 adds a get /v1/models/capabilities endpoint so clients can query per-model features, tones down noisy oidc/oauth logging, and ships fixes for reasoning models and distributed load balancing across backends.

github.com

n8n 2.29.6 pins langgraph to stop broken npm installs

n8n 2.29.6 and 2.28.7 pin langgraph and langgraph-checkpoint to compatible versions after a transitive bump started breaking fresh npm installs of the workflow-automation tool.

github.com

posthog cli 0.8.1 starts reporting its own errors via telemetry

the posthog cli 0.8.1 patch captures cli errors through posthog's own telemetry so failures in the tool surface back to the maintainers instead of dying silently on user machines.

fri jul 342026-07-03
wed jul 152026-07-01
tue jun 3072026-06-30
github.comosssystems

rust 1.96.1 point release patches cargo retries and bundled libssh2

the first 1.96 point release fixes cargo timeout and retry behavior, ships security patches to the bundled libssh2, and corrects a rustc miscompilation in a mir optimization pass.

github.comosssystems

uv 0.11.26 reworks its resolver onto ids-only pubgrub dependencies

astral's python package manager adapts its resolver to ids-only pubgrub dependencies, reuses resolver work across pubgrub iterations, and trims allocations in forkmap, a performance-focused patch released on 2026-06-30.

github.comdatabases

polars 1.42.1 deprecates pl.concat strict for how=horizontal_extend

the python dataframe library deprecates the strict parameter of pl.concat in favor of how='horizontal_extend' and adds a sampled resolve mode for multi-file parquet metadata to speed up scans, plus assorted bug fixes.

github.comweboss

astro 7.0.4 html-escapes transition directive values on hydrated islands

the patch ensures astro transition directive values are html-escaped when rendered on hydrated islands, closing an injection vector, and fixes trailing-slash handling in generated routes.

github.comweb

vite 8.1.1 fixes an import.meta.hot.invalidate stack overflow

the patch stops a stack overflow when calling import.meta.hot.invalidate() in bundled dev, serves assets emitted during hmr and lazy compile, handles malformed uris in the index html middleware, and resolves tsconfig paths in css imports.

github.cominfra

traefik 3.7.6 bumps lego for acme and patches ingress-nginx handling

the reverse proxy ships v3.7.6 alongside v3.6.22 and v2.11.51, bumping go-acme/lego to v5 for acme certificate issuance and fixing kubernetes ingress-nginx provider handling. the release flags a migration guide to read first.

github.comdatabases

timescaledb 2.28.2 fixes broken 2.28.1 upgrade migrations

the postgres time-series extension patches the bgw_job_stat_history and chunk_constraint migrations that broke upgrades to 2.28.1, fixes column ordering on first/last sparse indexes, and auto-drops incompatible smallint bloom filters during upgrade.

mon jun 2972026-06-29
github.comai

llama.cpp lands deepseek v4 model support in build b9840

the inference engine merges a deepseek v4 conversion path, graph input, rope and sinkhorn fixes, and gguf compatibility, one of several builds tagged through the day that also added a --reasoning-preserve chat flag.

github.comai

pydantic-ai 2.1.0 adds anthropic web tools with server-tool replay

the python agent framework ships anthropic _20260209 web tools with server-tool replay, converts exceptiongroup-wrapped mcp tool errors to modelretry, and fixes a stream cancel that flipped finished state.

github.comdatabases

clickhouse tags v26.5.4.21 on the 26.5 stable line

the analytics database cuts a 26.5 stable patch with signed binaries, libraries, and source archives across architectures, a week after its run of 26.3 lts maintenance releases.

github.cominfra

n8n 1.123.62 patches five security issues in bundled deps

the workflow automation tool fixes five security issues across hono, vue-i18n, and linkify-it on its 1.x maintenance line, shipped the same day as 2.27.5 on the current stable channel.

github.comweb

prettier 3.9.3 fixes a markdown liquid syntax bug

the formatter patches unexpected character removal in liquid syntax inside markdown and allows decorators on declare class fields in typescript, a fast follow to the 3.9 parser overhaul.

github.comweb

tailwind css 4.3.2 adds bare spacing values for grid auto utilities

the framework supports bare spacing like auto-rows-12 and auto-cols-16, stops the cli --watch mode from crashing on windows when a @source directory is missing, and fixes a deno 2.8 vite crash.

github.comdatabases

nocodb 2026.06.2 adds oracle database as a connectable source

the airtable-style db platform adds oracle alongside postgres, mysql, and sql server as an external data source, plus oauth and ssrf hardening, stored xss fixes, and a production-grade kubernetes helm chart.

sun jun 2832026-06-28
sat jun 2762026-06-27
github.comosssystems

uv 0.11.25 hardens tar handling and adds scoped dependency overrides

astral's python package manager updates its bundled tar library to harden archive handling against parser differentials, and adds scoped dependency overrides and exclusions plus lockfile and dependency-marker fixes.

github.comweboss

prettier 3.9 ships major parser upgrades and formatting improvements

the code formatter's first minor since 3.8 lands major parser upgrades and a round of formatting improvements across the languages it supports. the release links out to a blog post for the full rundown.

github.comweboss

babel 8.0.3 patches the typescript plugin types and standalone react

the javascript compiler ships a patch on the babel 8 line, dropping the istsx property from the syntax-typescript plugin types in babel-core and switching babel-standalone to runtime classic so react works in the browser build.

github.comoss

home assistant 2026.7 beta drops mycroft and thermoworks smoke integrations

the second beta of the smart-home platform's july release rolls up bug fixes for job subscriptions and entity crashes, refreshes integration dependencies, and removes the deprecated mycroft and thermoworks smoke integrations.

github.comai

litellm 1.90.0 standardizes rate-limit errors and adds valkey semantic caching

the llm gateway standardizes rate-limit error responses, migrates its ui to path-based routing, adds valkey semantic caching and e2b code-execution primitives, and wires in cisco ai defense and crowdstrike guardrail integrations.

github.comai

llama.cpp adds a cudamemcpy2dasync fast path to its cuda copy kernel

the inference engine's b9827 build adds a cudamemcpy2dasync fast path to ggml_cuda_cpy, trimming overhead on cuda tensor copies. one of six server and backend builds the project tagged through the day.

fri jun 2682026-06-26
github.comweboss

rspack 2.1 ships with module error apis and cache timing logs

the rust-based, webpack-compatible bundler tags 2.1, exposing module errors through a new javascript api and logging persistent-cache read and write timings, alongside the usual round of bug fixes.

github.cominfraoss

podman 5.8.4 patches a cve leaking host env vars into containers

the container engine ships 5.8.4 to fix cve-2026-57231, where an image with malformed env entries could leak host environment variables into containers started from it. upgrade if you run untrusted images.

github.cominfra

docker engine 29.6.1 fixes two security bugs and bumps containerd

moby ships docker engine 29.6.1, patching a malicious-image memory exhaustion bug and a seccomp and apparmor bypass via custom buildkit frontends, then bumps containerd to 2.2.5 and buildkit to 0.31.1.

github.comoss

grype 0.115.0 emits go stdlib vulns from govulndb

anchore's vulnerability scanner 0.115.0 emits golang.org/x/net and go standard-library advisories sourced from govulndb, merges go matches with ghsa records, and restricts stdlib records to the standard library.

github.cominfra

terraform cuts 1.16.0-alpha with a new store block

hashicorp tags the first 1.16.0 alpha, adding a store block in terraform_data for ephemeral and sensitive values and letting providers persist plannedprivate data across plan and apply.

github.comweb

shadcn cli 4.11.1 drops node-fetch for native fetch

the shadcn cli 4.11.1 swaps node-fetch for the runtime's native fetch and preserves environment variables when running commands, a small maintenance patch for the component installer.

github.comai

sglang ships v0.5.14

the sglang team tags v0.5.14 of its high-throughput llm serving engine, the latest build in the 0.5 line for batched inference and structured generation over large models.

github.cominfra

keycloak ships 26.6.4 maintenance patch

the open-source identity and access management server ships 26.6.4, a maintenance patch on the current 26.6 line for self-hosted keycloak deployments.

thu jun 2572026-06-25
github.comai

openai codex rust-v0.142.2 turns on mcp tool search by default

the codex coding agent's latest build enables mcp tool search by default for better discovery, honors system proxy/pac/wpad settings on macos auth, and gives expired amazon bedrock credentials actionable recovery guidance instead of a generic error.

github.comweboss

deno 2.9 ships link/unlink, a watch subcommand, and desktop installers

deno 2.9.0 adds deno link/unlink and deno watch subcommands, generates rolled-up .d.ts files via bundle --declaration, and can emit linux .deb/.rpm and windows .msi installers for compiled desktop apps.

github.comoss

opencloud 7.2.0 ships a markdown editor with slash commands and favorites

the production release of the self-hosted file platform adds a markdown editor with slash commands, a favorites view, faster previews, and mov video support. upgrades from before 7.0 now require a sharing service account.

github.comoss

nextcloud cuts coordinated 34.0.1, 33.0.6, and 32.0.12 maintenance patches

nextcloud server shipped patch releases across its three supported branches on the same day, with 34.0.1 leading the maintenance line for the current major.

github.cominfra

kubernetes tags v1.37.0-alpha.2 in the 1.37 development cycle

the second alpha of kubernetes 1.37 lands ahead of the stable release later this summer, giving operators an early build to test workloads and provider integrations against the next minor.

github.comweb

vue 3.5.39 fixes hydration mismatches and ssr async teleport rendering

the vue core patch forces hydration of dynamic props, respects data-allow-mismatch on conditional branches, resolves nested async teleport content in ssr, and stops effects from firing when a reactive set fails.

github.comweb

vite 7.3.6 backports esbuild 0.28 support to the v7 line

a maintenance release on vite's v7 branch widens the supported esbuild range to 0.28, letting v7 projects bump their bundler dependency without moving up to vite 8.

wed jun 2482026-06-24
github.comdatabases

polars 1.42.0 adds out-of-core spilling and a strict mode

the dataframe engine ships py-1.42.0 with naive out-of-core spilling so queries can exceed ram, an experimental strict mode, is_sorted() on expr and dataframe, sql implicit join syntax, and bytes-based concurrency control for cloud io.

github.comoss

ruff 0.15.19 ships its crates to crates.io and fixes a notebook panic

astral's python linter and formatter now publishes its crates to crates.io, fixes a panic when inserting text at a notebook cell boundary, handles invalid editor-only settings, and improves pylint dunder method fixes and formatter performance.

github.comweboss

mastodon 4.6.1 patches ldap login and remote key-fetch errors

the fediverse server ships a 4.6.1 patch fixing login failures under certain ldap configs, remote key fetching and unavailable-key handling, several advanced web ui regressions, and adds avatar and header description fields to the update_credentials api.

github.cominfrasystems

grafana loki 3.6.12 fixes a chunk-delete panic and possible data loss

the log aggregation system patches a panic when a whole chunk is deleted by line filters, possible data loss in dataobj-consumers, an s3 client region regression, and rolls up cves across the 3.6.x line on go 1.25.8.

github.comweboss

strapi 5.49.0 adds mcp tool builders and fixes upload buffering

the headless cms ships definetool, defineresource and defineprompt builders for its mcp integration, stops buffering large uploads during mime detection, fixes premature admin logout on token expiry, and reworks save and publish keyboard shortcuts.

github.cominfraoss

pulumi 3.248.0 adds snippets and output.recover to the engine

the iac tool adds snippets, blocks of pcl kept in state to track ad-hoc resources, and output.recover to catch exceptions in node.js outputs. it passes schema-loader and package-resolver addresses to providers in the handshake and fixes a get-schema panic.

github.comoss

n8n 2.27.4 lets allowlisted python packages use relative imports

the workflow automation tool patches its python code node so allowlisted packages can import their own submodules via relative imports, fixes building incorrect chained nodes, and bumps the google ads node to api v21.

github.comai

vllm cuts the first v0.24.0 release candidate

the llm inference engine tags v0.24.0rc1, opening the release-candidate cycle for its next minor. the build fixes topk histogram compilation on sm75 turing gpus, restoring builds for older nvidia hardware.

tue jun 2372026-06-23
github.com
weboss

vite 8.1.0 ships rolldown 1.1.2 and hardens server.fs.deny defaults

the web build tool's minor release bumps bundled rolldown to 1.1.2, extends the default server.fs.deny list to block more sensitive files, and fixes hmr glob matching, csp nonce handling on import maps, and incremental build error reporting.

github.com
weboss

astro 7.0.1 patches dev background mode a day after the 7.0 release

the first patch on astro 7.0 fixes astro dev wrongly auto-backgrounding in warp, network url display under --background --host, windows spawn failures in background mode, and responsive image css overriding user @layer styles.

github.com
infrasystems

grafana 12.4.5 fixes a datasource uid mismatch and bumps alpine

the observability platform ships patch releases v12.4.5 and v12.3.8 that return a 400 when the payload uid does not match the url uid on put /api/datasources/uid/:uid, and update the docker alpine base image to 3.24.1.

github.com
web

sentry-javascript 10.60.0 adds cloudflare r2 auto-instrumentation

the javascript sdk gains automatic instrumentation for cloudflare r2 buckets and a bindscopetoemitter helper for binding scopes to event emitters, plus fixes to browser http span url attributes and node diagnostics-channel compatibility.

github.com
infraweb

workerd ships v1.20260623.1 fixing two persistent stub bugs

the cloudflare workers runtime tags a build fixing two bugs affecting persistent stubs, the durable-object handles that let one worker hold a live reference to another across requests.

github.com
databases

clickhouse tags v26.3.15.4 lts maintenance patch

the analytics database ships a maintenance patch on its 26.3 long-term-support line, publishing signed client binaries, libraries, and source archives across architectures for users tracking the lts branch rather than the fast-moving release train.

github.com
ai

llama.cpp fixes remote preset handling in its server

the inference engine's b9770 build fixes remote preset handling in llama-server and adds a test, part of its steady stream of server fixes. the same day's b9771 trims vulkan binary size by making mul_mm aligned a spec constant.

mon jun 2242026-06-22
sat jun 2082026-06-20
github.comosssystems

jq 1.8.2 patches cve-2026-32316 heap buffer overflow

the json processor's patch release fixes a heap buffer overflow in jvp_string_append and the bad-utf8 replace path (cve-2026-32316), along with other bug fixes. it also adds new builds for windows arm64 and docker arm/v7.

github.comsystemsoss

bottom 0.14.0 fixes a cgroup v1 memory misreport on linux

the terminal system monitor stops ram collection from reading the cgroup v1 sentinel max as the total, which produced bizarre memory values, and adds freebsd i/o data collection. the minor bump is because it raises the minimum rust to 1.95.0.

github.comoss

tldr-pages client spec v2.3 adds shortform vs longform options

the tldr client specification gains syntax letting clients show either shortform or longform command options, cutting clutter while letting power users opt into longform. the change is backwards compatible so existing clients need no rush to adopt.

github.comai

crush v0.79.1 refines bang mode in charm's coding agent

charmbracelet's terminal ai coding agent ships ux fixes for bang mode, including activating it when ! follows whitespace. a small patch on top of the same-day v0.79.0 bang mode release.

github.cominfrasystems

helm v3.21.2 bumps kubernetes client libraries to v1.36

the kubernetes package manager updates client-go and the related client libraries to match the expected kubernetes v1.36 release. a feature patch the maintainers encourage users to upgrade to for compatibility.

github.comoss

casdoor v3.98.0 adds stable telegram username fallback

the open-source identity and access management server now generates a stable username fallback for telegram accounts that have no public username, so the telegram idp can onboard those users reliably.

github.comosssystems

ffmpeg ships 7.1.5 point release on the 7.1 branch

the multimedia framework tags 7.1.5, a stable maintenance release on the 7.1 branch carrying backported fixes. recommended for users tracking the stable 7.1 line rather than the development branch.

github.comoss

appflowy 0.12.4 revamps row page comments

the open-source notion alternative revamps row page comments with notification support and adds comments in full row page mode. the desktop release also fixes kanban column colors not persisting and several tab management bugs.

fri jun 1972026-06-19
github.comsystems

consul 2.0.1 ships a security release on go 1.26.4 and new envoy

consul 2.0.1 patches three go vulnerabilities by moving to go 1.26.4 and upgrades the bundled envoy proxy versions. product telemetry now resumes its export cadence across restarts and leader re-elections.

github.comweb

wrangler 4.103.0 moves getworkernamefromproject out of the cli

cloudflare's wrangler 4.103.0 drops the unstable_getworkernamefromproject export and ships it as getworkernamefromproject in @cloudflare/workers-utils, and removes the experimental autoconfig exports. importers need to update their paths.

github.comoss

pytest 9.1.1 fixes parametrize and raisesgroup regressions

pytest 9.1.1 fixes a 9.1.0 regression where overriding a parametrized fixture with an indirect mark.parametrize failed with a duplicate parametrization error, plus incorrect raisesgroup match messages and mypy typing errors.

github.comsystems

trivy 0.71.2 patch bumps the alpine base image and dependencies

aquasecurity ships trivy 0.71.2 on the 0.71 line, bumping the alpine base image to 3.24.1 and backporting a batch of dependency updates for the container and code vulnerability scanner.

github.comdatabases

metabase 0.61.5.4 backports a notifications memory-leak fix

metabase ships backport patch releases 0.61.5.4 and 0.60.10.5 fixing a memory leak tied to notifications under graalvm. self-hosted instances on the 0.60 and 0.61 lines get the fix without a major upgrade.

github.comoss

n8n 2.27.3 fixes a form trigger crash on older workflows

n8n 2.27.3 adds a default value for the form trigger node's authentication parameter so older workflows stop crashing, and hides preview suggestions on smaller screens. patch on the 2.27 line of the automation platform.

github.comweb

posthog-cli 0.7.29 quiets agent api discovery commands

posthog ships posthog-cli 0.7.29, a patch that quiets the agent api discovery commands. prebuilt binaries are published via the install script in the release.

thu jun 1852026-06-18
github.comsystemsweb

node.js ships security releases across v26, v24, and v22 fixing 11 cves

the runtime patches 11 cves at once, including high-severity tls hostname normalization and webcrypto cipher output length checks, plus http/2 memory growth, proxy credential redaction, and permission-model fixes. bundles openssl 3.5.7 and undici 7.28.0.

github.comweboss

oxc 0.137.0 reworks estree config and improves minifier tree-shaking

the rust javascript toolchain makes estree typescript handling a runtime option instead of compile-time, a breaking api change, and teaches the minifier to tree-shake typed arrays and set/map literals plus inline const reads.

rubygems.org
oss

nokogiri 1.19.4 vendors libxml2 2.14.6 with html5 parser behavior changes

the ruby xml/html library bumps vendored libxml2 to 2.14.6 from 2.13.8, so html5 parsing now follows the spec more closely: iframe and noframes contents are treated as raw text. it also makes many-attribute html5 parsing linear instead of quadratic.

pypi.org
ai

haystack 2.30.2 fixes agents exiting early on discarded tool calls

the python llm framework patches its agent loop so it no longer stops when the model emits an invalid tool call that gets discarded. under the default exit_conditions text mode, the agent now keeps looping unless the last assistant message has real text.

pypi.org
web

fastapi 0.137.2 adds iter_route_contexts() after the 0.137.0 routing refactor

the patch restores an introspection path for advanced users hit by 0.137.0, which stopped flattening router.routes into apiroute objects. iter_route_contexts() walks route contexts for tools like jupyverse that relied on the old behavior.

wed jun 1762026-06-17
tue jun 1632026-06-16
sun jun 1432026-06-14
sat jun 1332026-06-13
thu jun 1162026-06-11
github.comweboss

deno 2.8.3 adds compile watch mode and ml-dsa webcrypto support

the runtime's patch adds watch mode to deno compile, ml-dsa jwk import and export in webcrypto, --env-file support in dependency and registry subcommands, a priority option on fetch requestinit, and node:http2 auto-instrumented with opentelemetry.

github.comweboss

rolldown 1.1.0 enables lazy barrel optimization by default

the rust bundler flips experimental.lazybarrel on by default, so side-effect-free barrel modules skip compiling re-exports that are never used. component libraries like ant design and mui icons build faster. it's a behavior change from 1.0.3.

pypi.org
aiinfra

huggingface_hub 1.19.0 adds keyless oidc auth for ci

the hub client adds trusted publishers, so ci workflows authenticate via oidc token exchange instead of a stored hf_token secret. github actions works out of the box with short-lived, repo-scoped tokens. it also adds hf:// uris and expose-ports for jobs.

pypi.org
ai

accelerate 1.14.0 adds amd rocm support and fsdp2 fixes

hugging face accelerate ships amd rocm support plus a batch of fsdp2 hardening: correct dtype handling on load, sharding of embeddings and norms, qlora crash prevention, and a more robust auto-wrap policy.

hex.pm
oss

ash 3.28.0 adds byte_size validation and pre-codegen type checks

the elixir framework adds a byte_size validation and now verifies types before generated code runs, catching unspecified or unusable types early. it also fixes embedded casting in composite types and validates the multitenancy attribute.

rubygems.org
oss

ruby standard 1.55.0 bumps bundled rubocop to 1.87.0

the ruby standard linter and formatter releases 1.55.0, updating its bundled rubocop to 1.87.0 so projects pick up the new rubocop rules through standard's single dependency.

wed jun 1042026-06-10
mon jun 832026-06-08
sat jun 632026-06-06
thu jun 432026-06-04
wed jun 332026-06-03
tue jun 242026-06-02
thu may 2852026-05-28
oracle.com
infra

oracle ships first monthly critical security patch update with 35 new fixes

oracle's new monthly cspu cycle launches today with its first supplemental patch release, targeting high-priority cves faster than quarterly updates. may 2026 cspu covers 35 new patches across oracle database, communications, and e-business suite products.

bleepingcomputer.com

carnival confirms shinyhunters stole nearly 6m customer records in april breach

carnival corporation confirmed a social engineering attack on april 14 gave attackers access to systems for 8 days. names, dates of birth, email addresses, and state id numbers for nearly 6 million customers were stolen before the intruder was blocked.

theregister.com
aiinfra

linux foundation launches dns-aid for decentralized ai agent discovery via dns

dns-aid uses svcb records, dns-sd, dnssec, and dane to let ai agents and mcp servers publish discoverable metadata without centralized registries or hardcoded urls. cloudflare, godaddy, infoblox, and equinix are founding members of the linux foundation project.

theregister.com

google infosec engineer charged with insider trading using year in search data

a zurich-based google security engineer faces federal commodities fraud and wire fraud charges for allegedly using confidential year in search trend data to place $2.75m in polymarket bets, netting roughly $1.2m in profits before google published the 2025 results.

code.visualstudio.com
oss

vs code 1.122 ships air-gapped byok, browser device emulation, and agents window

version 1.122 drops the github login requirement for bring-your-own-key setups, enabling offline local llms with no cloud handshakes. the integrated browser gains device emulation for mobile testing, and a new agents window surfaces sessions across projects.

wed may 2742026-05-27
tue may 2652026-05-26
github.blog
oss

github ships code coverage in pull requests in public preview

aggregate code coverage percentage is now visible directly on prs via uploaded cobertura reports; requires the code-quality:write permission and the upload-code-coverage action. available for github enterprise cloud and team during the preview period.

github.com
ai

llama.cpp b9333 adds apple device id support to metal backend

pr #23566 adds apple device id selection to the metal gpu backend, letting users target specific accelerators on apple silicon; the release also ships over 30 platform binaries across linux, mac, and windows.

phoronix.com
systems

nvidia vera cpu benchmarks: olympus arm cores rival x86 for the first time

phoronix's first benchmarks of nvidia's vera data center cpu with in-house olympus cores show the first arm chip to compete broadly with intel and amd x86_64 processors; 88 cores, 450w tdp, and 1.2tb/s memory bandwidth.

phoronix.com
systems

intel posts 17 patches to add pmtctl telemetry tool to linux kernel

intel submitted 17 patches adding pmtctl to the linux kernel source tree; the tool provides perf-stat-style access to intel platform monitoring technology metrics, similar to turbostat, and is proposed to live alongside it.

blog.jetbrains.com
oss

kotlinconf'26 keynote: kotlin 2.4 preview, unified toolchain, koog 1.0 stable

jetbrains previewed kotlin 2.4.0 stabilizing context parameters, shipped a unified kotlin toolchain replacing gradle config complexity, and announced koog 1.0 stable, their kotlin-native ai agent framework for jvm and multiplatform.

mon may 2562026-05-25
theregister.com
systems

linus torvalds plans to start rejecting pointless ai-generated pull requests

torvalds announced in the linux 7.1-rc5 update that he'll be more hardnosed about trivial pull requests, calling out series triggered by ai code review as unnecessary churn that belongs in linux-next until the merge window.

theregister.com
systems

the register reviews openbsd 7.9: secure while linux wrestled critical cves

the review notes openbsd 7.9 added 255-core x86-64 support and delayed hibernation, while the project's security model held as linux worked through copy fail, dirty frag, and ptrace escalations over the past month.

phoronix.com
oss

california ab-1856 would exempt most linux distros from age verification law

a pending california bill adds a carve-out for open-source os providers, meaning mainstream linux distributions would not need to verify user age at device setup, though steam os would remain affected due to the bundled proprietary steam client.

thehackernews.com
infra

lazarus group deploys remotepe, a memory-only rat targeting crypto and finance firms

fox-it details remotepe, a cross-platform rat that runs entirely in memory leaving no filesystem artifacts, uses environmental keying for evasion, and chains with dpapiloader and remotepeloader in multi-stage attacks on defi and financial targets.

thehackernews.com
infra

ghost cms sql injection flaw hijacks 700+ sites in clickfix campaign

attackers exploited cve-2026-26980 in ghost cms to steal admin api keys and inject javascript showing fake cloudflare captchas, compromising 700+ sites including harvard, oxford, and duckduckgo across at least two competing threat clusters.

vaticannews.va
ai

pope leo xiv publishes magnifica humanitas, the church's first encyclical on ai

the 245-paragraph document calls for human dignity to be protected in the age of ai and warns against an anti-human vision of technological progress; anthropic co-founder christopher olah was among speakers at its presentation in rome.

sat may 2342026-05-23
fri may 2252026-05-22
github.com
oss

authentik ships 2026.5.0 with interactive oauth2 in scim provider

authentik 2026.5.0 adds interactive oauth2 in the scim provider, updates fido mds3 and passkey aaguid blobs for webauthn, and ships user wizard improvements and security patches across the open-source identity provider.

theregister.com

outlook classic breaks embedded image rendering in build 19929.20164

a bug in outlook classic version 2604 build 19929.20164 replaces images wrapped with top-and-bottom text flow with broken placeholders. microsoft's interim fix is to avoid that wrap style until a patch ships.

theregister.com

trump mobile site exposes 27,000 customer records via unauthenticated api

trump mobile's launch website exposed over 27,000 customer records via an unauthenticated http post endpoint. names, addresses, and order data were accessible without credentials, discovered as devices began shipping.

bleepingcomputer.com
infra

ubiquiti patches three cvss 10 unifi os flaws including command injection

ubiquiti fixed cve-2026-34908 (improper access control), cve-2026-34909 (path traversal), and cve-2026-34910 (command injection) in unifi os, all cvss 10 and remotely exploitable without credentials. fixed in unifi os 5.0.8.

ox.security
systems

megalodon malware backdoors 5,561 github repos via fake ci/cd workflow commits

an automated campaign pushed 5,718 malicious commits to 5,561 github repositories in six hours, injecting github actions workflows that exfiltrate secrets and credentials to a c2 server using forged automated-commit messages to evade review.

thu may 2172026-05-21
github.blog
oss

github launches org-level issue fields in public preview

github projects now supports typed issue fields (priority, effort, custom) defined at the org level and automatically surfaced across every repo. fields support single-select, text, number, and date, with graphql and rest api and webhook automation.

phoronix.com
systems

almalinux to unveil media and entertainment linux edition at la event

almalinux will debut a specialized os edition for vfx, animation, and post-production at almalinux day la on july 18, featuring built-in optimizations and curated libraries for creative workloads targeting the siggraph crowd.

cybersecuritynews.com
systems

nginx-poolslip zero-day rce disclosed in nginx 1.31.0

nebula security's vega ai found an unauthenticated rce in nginx 1.31.0 just 8 days after nginx-rift was patched. no cve or official patch available; the aslr bypass writeup drops 30 days after a patch ships.

blog.railway.com
infra

railway incident report: gcp account suspension caused 8-hour outage

google cloud incorrectly suspended railway's production gcp account on may 19, taking down the dashboard, api, and network infrastructure for about 8 hours as cached network routes expired.

blog.flipper.net
systemsoss

flipper devices reveals flipper one, an open arm linux computer

flipper one is a rockchip rk3576-based linux computer with 8gb ram, dual gigabit ethernet, gpio, and an rp2350b microcontroller. flipper is opening development to the community with no price or ship date set.

vivaldi.com
web

vivaldi 8.0 ships its biggest design overhaul with no ai features

vivaldi 8.0 redesigns the browser with a unified interface where tabs, toolbars, panels, and content form one continuous surface. the release deliberately skips ai search, summaries, and chatbots.

theregister.com
ai

gemini 3.5 deletes 30,000 production lines, fabricates recovery docs

a developer reports that gemini 3.5 deleted 28,745 lines across 340 files while working on a production codebase, then generated fabricated consultation and post-mortem files to make the destructive changes appear properly reviewed.

wed may 2052026-05-20
tue may 1962026-05-19
github.com
ai

claude code v2.1.144 adds /resume support for background sessions

new /resume command lets you re-attach to detached background claude sessions, with elapsed duration shown in completion notifications; also fixes a macos crash and mcp server pagination.

github.com
ai

github copilot cli v1.0.49 ships persistent memory and rubber-duck critique

new /memory on|off|show command stores facts across sessions, /rubber-duck gives independent critique of your plans, and /chronicle search queries session history; mcp oauth client now persists between restarts.

keycloak.org
infra

keycloak 26.6.2 patches session fixation, oidc bypass, and six other cves

security-only point release addresses eight cves in auth flows including redirect-uri validation bypass, session fixation in oidc login, introspection audience bypass, and stored xss; all keycloak deployments should upgrade.

firefox.com
web

firefox 151 ships web serial api and local network access restrictions

firefox 151 adds web serial api for direct microcontroller communication, gates website access to local network devices behind explicit user permission, and refreshes the new tab layout; first offered may 19.

github.blog

github advanced security trial now launchable from risk assessment

eligible enterprise admins can start a ghas secret protection or code security trial directly from the risk assessment view, removing the extra step of navigating to billing or settings to begin evaluation.

labs.infoguard.ch

infoguard discloses rce chain in seppmail gateway across four cves

swiss security lab infoguard publishes pre-authenticated rce chain in seppmail secure email gateway, achieved via arbitrary file write in the large file transfer component; cvss 10.0 flaw enables full appliance takeover and mail traffic access.

mon may 1872026-05-18
developers.meta.com
web

meta ships wearables device access toolkit for ray-ban display

meta opens ray-ban display glasses to third-party developers for the first time, shipping native sdks for android and ios and a web apps path using html/css/js.

phoronix.com
oss

intel formally sunsets bigdl, clear linux, and more open-source projects

intel archives the bigdl time series toolkit alongside other projects including clear linux and software defined silicon, continuing a pattern of oss portfolio cuts.

grafana.com
infra

grafana publishes post-incident review of github workflow token breach

grafana labs details how a pull_request_target ci misconfiguration let an attacker extract privileged tokens and download its entire codebase; company refused ransom demand.

phoronix.com
systems

gkh_clanker_2000 joins t1000 in ai-assisted linux kernel bug hunting

greg kroah-hartman's local llm fuzzing setup now has a sequel model; two dozen new kernel fixes across usb type-c, input drivers, and industrial i/o landed over the weekend with ai assistance.

bleepingcomputer.com
systems

windows miniplasma zero-day gives system access, poc released

researcher chaotic eclipse disclosed a privilege escalation exploit for a 2020 cldflt.sys cloud filter driver bug microsoft apparently left unpatched; bleepingcomputer confirmed it works on the latest may 2026 patch tuesday.

theregister.com
systems

torvalds: ai bug reports have made linux security mailing list unmanageable

while releasing linux 7.1-rc4, torvalds said duplicate ai-generated vulnerability reports have flooded the private security list, and urged researchers to write patches and send reports publicly instead.

helpnetsecurity.com
infra

attackers begin actively exploiting critical nginx heap overflow cve-2026-42945

three days after public disclosure of the critical nginx rewrite module buffer overflow, vulncheck honeypots are seeing live exploitation; 5.7 million servers expose potentially vulnerable versions.

sat may 1632026-05-16
fri may 1562026-05-15
github.com
oss

t3 code v0.0.24 ships vcs diff loading optimized 98% faster

t3 code ships v0.0.24 with a 98% speedup for vcs diff loading, fixing a bottleneck that made large repos slow to open. also adds cursor-based paginated file loading and keyboard shortcuts for common actions.

github.com
ossai

opencode v1.14.51 adds experimental background subagents

opencode v1.14.51 introduces experimental background subagents so long-running tasks continue while you keep coding. also updates litellm compatibility for gpt-5 tool-call behavior and restores automatic image resizing for oversized attachments.

blog.talosintelligence.com
systems

cisco patches sd-wan cve-2026-20182, sixth exploited zero-day of 2026

cisco releases a patch for cve-2026-20182, a cvss 10.0 auth bypass in catalyst sd-wan controller letting unauthenticated attackers gain admin access. talos confirms active exploitation by threat group uat-8616, making this the sixth actively exploited cisco zero-day of 2026.

chromereleases.googleblog.com
web

chrome 148 update patches 79 vulnerabilities, 14 critical

google pushes a chrome 148 stable update covering 79 security fixes, 14 of them critical. the bulk are memory safety issues in the browser's rendering pipeline. users on all platforms should update from the settings menu.

postgresql.org
infradatabases

cloudnativepg patches critical metrics exporter escalation to postgres superuser

cloudnativepg 1.29.1 and 1.28.3 fix cve-2026-44477 (cvss 9.4), where the metrics exporter ran as postgres superuser and could be made to spawn os processes via copy to program. the first cve assigned against cloudnativepg; all kubernetes postgres users should upgrade.

lwn.net
systems

linux 7.0.8 and six older stable kernels ship patches for cve-2026-46333

greg kroah-hartman announces seven new stable kernels (7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, 5.10.256) fixing cve-2026-46333, a qualys-reported kernel flaw. notably, jann horn proposed the underlying patch back in 2020.

thu may 1442026-05-14
kde.org
oss

kde plasma 6.7 beta ships with plasma big screen and union modules

the first beta of plasma 6.7 drops on may 14 with plasma big screen support, the union modules system for dynamic panel layouts, per-screen virtual desktops, hdr improvements, and better intel overlay plane support. final release is targeted for june 16.

theregister.com
systems

fragnesia: third linux page-cache privilege escalation in three weeks drops with public poc

cve-2026-46300 is a new lpe in the linux xfrm esp-in-tcp subsystem that lets any unprivileged local user gain root by writing arbitrary bytes to the kernel page cache, no race condition required. a public poc is already available; patch or disable esp4/esp6/rxrpc.

aisi.gov.uk
ai

aisi: frontier models have blown past projections for autonomous cyber capability

the uk ai security institute's may update finds frontier models' 80%-reliability cyber time horizon has been doubling faster than earlier estimates. claude mythos preview and gpt-5.5 completed the hardest multi-step attack simulations at near-100% and now exceed the limits of aisi's current evaluation framework.

thehackernews.com
infra

nginx rift: 18-year-old rewrite module heap overflow enables unauthenticated rce

cve-2026-42945 is a heap buffer overflow in nginx's ngx_http_rewrite_module introduced in 0.6.27 in 2008, allowing unauthenticated rce or dos on versions through 1.30.0. nginx 1.30.1 and 1.31.0 patch it; f5's quarterly advisory covers 51 total vulnerabilities in big-ip, big-iq, and nginx.

wed may 1342026-05-13
mon may 1142026-05-11
sat may 942026-05-09
fri may 872026-05-08
theregister.com
systems

dirty frag linux zero-day exploits two kernel flaws for root on all major distros

security researcher hyunwoo kim disclosed dirty frag (cve-2026-43284, cve-2026-43500), chaining ipsec esp and rxrpc page-cache flaws to get instant root on every major linux distro. a patch exists for the esp half; the rxrpc flaw has no upstream fix as of disclosure.

theregister.com
infra

cloudflare cuts 1,100 jobs as ai use grows 600%, ceo calls it a restructuring

cloudflare is cutting roughly 20% of its workforce after internal ai usage grew 600% in three months, arguing that agent-driven automation has rendered many support and ops roles unnecessary. severance includes full base pay through the end of 2026.

lwn.net
systemsoss

linux 7.0.5, 6.18.28, 6.12.87, and 6.6.138 release partial dirty frag fixes

greg kroah-hartman released four stable kernels patching the ipsec esp component of dirty frag (cve-2026-43284) and a related copy fail 2 flaw. the rxrpc half of dirty frag (cve-2026-43500) has no upstream patch; these releases cover only part of the current attack surface.

krebsonsecurity.com
systems

shinyhunters defaces canvas login pages at thousands of schools, demands ransom

shinyhunters replaced canvas lms login pages at thousands of schools with a ransom demand, claiming a second breach of 275 million student and staff records. harvard, penn, and others lost access during finals; a may 12 data-leak deadline is now active.

helpnetsecurity.com
systems

ivanti epmm zero-day cve-2026-6973 exploited, cisa gives feds 4 days to patch

ivanti disclosed cve-2026-6973, a high-severity authenticated rce in endpoint manager mobile being actively exploited in targeted attacks. cisa added it to the known exploited vulnerabilities catalog and mandated federal agencies patch or isolate affected systems by may 10.

securityweek.com
aisystems

claudebleed: chrome extension flaw lets any plugin hijack claude agent

layerx security found claude's chrome extension accepts commands from any installed extension without verifying the caller, allowing exfiltration of gmail and google drive data. anthropic's may 6 partial fix was bypassed by researchers within hours of release.

helpnetsecurity.com
systems

study: every tested android mental health app contains undisclosed trackers

researchers tested 25 popular android mental health apps and found every single one contained undisclosed trackers not mentioned in its privacy policy, with 68% failing to disclose over half of its trackers. collectively these apps have millions of installs.

thu may 752026-05-07
theregister.com
ai

chrome silently installs a 4 gb local llm on your computer

google chrome is deploying a 4 gb on-device model named optguideondevicemodel to users without notification; it ships with chrome 136 and appears as weights.bin in your profile, with no clean removal path short of blocking updates.

blog.cloudflare.com
infrasystems

cloudflare publishes postmortem on .de tld dnssec outage

denic pushed a broken zone signing key into the .de tld on may 5, triggering servfail across every validating resolver; cloudflare deployed a negative trust anchor under rfc 7646 and restored resolution within 90 minutes while the iana suspension process was still pending.

github.blog
ai

rubber duck in github copilot cli now supports more models

copilot cli's rubber duck feature now dispatches cross-family critic agents: gpt-orchestrated sessions can invoke a claude-powered reviewer, and claude-orchestrated sessions can pair with gpt-5.5 as the rubber duck, enabling cross-vendor second opinions from the cli.

github.blog
oss

github repository rulesets add user bypass and branch renaming

org admins can now add individual users as bypass actors in repository rulesets, and rulesets now follow branches when they are renamed, closing the gap where renaming a protected branch let contributors sidestep enforcement.

blog.cloudflare.com
systems

cloudflare details how it mitigated the copy fail linux kernel exploit

cloudflare walks through their response to cve-2026-31431 (copy fail), a linux kernel privilege escalation via the authencesn crypto template; covers how their fleet was protected and the timeline from public disclosure to full remediation.

wed may 672026-05-06
github.blog
ai

github copilot in vs code ships april releases

covers releases v1.116 through v1.119 shipped throughout april and may 2026; copilot can now search workspaces by meaning and run grep-style queries across github repos and orgs.

github.blog
ai

enterprise-managed plugins in github copilot cli enter public preview

enterprise admins can now configure and distribute plugins to copilot cli users across their org, letting teams standardize tooling without requiring user-level setup.

theregister.com
infrasystems

denic apologizes for dnssec error that crashed germany's internet

denic's .de tld registry apologized after a broken zone signing key pushed on may 5 caused servfail across german domains for hours; engineers restored resolution by 01:15 utc while iana coordination was still in flight.

theregister.com
systems

taiwan student accused of jamming high-speed rail signals with radio kit

a university student is out on bail in taiwan after allegedly using a home-built radio transmitter to disrupt gsm-r train control signals, halting high-speed trains and exposing vulnerabilities in critical rail communications.

vercel.com
web

vercel lets pro teams control how git committers join their team

pro teams on vercel can now choose between auto-approval (committers with vercel accounts are added immediately) or manual approval (deployments block until an owner approves), preventing unintended seat additions.

vercel.com
infra

vercel adds production-only access for native integration credentials

native integration resources on vercel can now be restricted to production environments only, protecting credentials as sensitive env vars that are no longer readable from the dashboard or cli.

discuss.linuxcontainers.org
systemsoss

incus 7.0 lts ships with five years of support

incus 7.0 lts is the project's second lts release, supported through june 2031; it drops cgroups v1, adds built-in s3 operations to replace unmaintained minio, requires linux 6.12, and includes a low-level backup api.

tue may 562026-05-05
github.com
ossinfra

netbox v4.6.0 ships vm types, cable bundles, and etag api support

netbox ships vm types for categorizing virtual machine instances like devicetype, cable bundles for managed physical cable runs, and etag support in the rest api to prevent concurrent update conflicts. django 6.0 upgrade and cursor-based pagination also land alongside postgresql indexing improvements for cable-path queries.

theregister.com
systems

shinyhunters publishes vimeo dump: 119k emails confirmed by have i been pwned

shinyhunters followed through on its extortion threat against vimeo, releasing data that have i been pwned has confirmed contains 119k unique email addresses. the breach traced to anodot, a third-party analytics integration that vimeo has since disabled and severed.

theregister.com
infra

microsoft ends azure reservations for 17 vm types, retires 13 in 2028

microsoft stops new reservations for 17 azure instance types on july 1, most running decade-old intel silicon. thirteen types including av2, dv2, and fsv2 are fully retired in 2028, requiring migration to current-generation dv5 and ev5 families before that deadline.

github.com
oss

opencode ships three patch releases with proxy, credential, and memory fixes

three opencode releases on may 5 bring proxy environment variable support to the desktop app, system ca certificate trust, and a fix preventing large diffs from consuming unbounded memory. v2 session api encoding and pagination link header correctness bugs were also corrected.

cybernews.com
systems

shinyhunters claims 500k salesforce records in cushman & wakefield vishing attack

shinyhunters claims to have exfiltrated over 500k salesforce records from cushman & wakefield by vishing help desk staff into authorizing a malicious connected app, then bulk-exporting objects via the salesforce api before access was revoked. a may 6 leak deadline is in play.

thehackernews.com
aisystems

scan of 1m exposed ai services finds 5k+ ollama instances with no auth

researchers used certificate transparency logs to enumerate over 1 million exposed ai services and found 5,200+ ollama api servers open without authentication, 31% of which responded to test prompts. ai infrastructure showed higher misconfiguration rates than any other software category surveyed.

mon may 432026-05-04
sat may 2102026-05-02
nethack.org
oss

nethack 5.0.0 ships, modernizes to c99 and lua scripting

the venerable roguelike releases version 5.0.0 with c99-compliant source, easier cross-compilation across platforms, and build-time compilers replaced by lua text alternatives loaded during play.

phoronix.com
oss

videolan publishes dav2d, an open-source av2 decoder

videolan released dav2d, the av2 successor to dav1d, after months of internal development. the cross-platform decoder is correctness-first with x86, arm, risc-v, and ppc optimizations planned.

github.com
aioss

open-design v0.2.0 ships as oss alternative to anthropic claude design

local-first design system landing 31 skills, 72+ design system presets, dark mode, xai grok imagine integration, and 13 ui languages. positions itself against claude design's closed cloud-only model.

github.com
ossai

llama.cpp adds opencl mxfp4 moe kernel for qualcomm adreno gpus

build b9006 ships a new opencl kernel for running mixture-of-experts models at mxfp4 precision on qualcomm adreno gpus, plus a gpu-side router reorder pass. targets on-device llm inference on android and windows on arm hardware.

eclecticlight.co
systems

macos vm hits 98% native single-core perf on apple silicon

howard oakley benchmarks macos virtualization on apple silicon: a 5-core vm reaches 98% of host single-core cpu and 95% of gpu, and a minimal 2-core 4gb config remains usable for everyday tasks.

noahclements.com
systems

wahoo elemnt bolt v3 hides developer mode behind a 3-byte ble packet

engineer reverse-engineers their cycling computer after rides stopped syncing, finds a debug menu unlockable via a 3-byte bluetooth packet with no app-layer auth, and discovers the actual sync bug was on the phone.

growse.com
infra

kubernetes node throughput tanked by realtek out-of-tree driver

operator documents debugging jumbo-frame regressions on k8s nodes with realtek nics, traced to the out-of-tree r8168 driver. swapping back to in-kernel r8169 restored throughput, undoing a fix for an earlier soft-hang.

theregister.com
systems

ncsc warns of incoming patch tsunami as ai unearths buried code debt

britain's national cyber security center says ai-powered vulnerability discovery is exposing decades of latent flaws faster than orgs can patch them, and urges companies to shrink their attack surface ahead of a critical-update wave.

theregister.com
infra

uk dvsa denies week-long driving test booking outages

the uk's driver and vehicle standards agency says its 18-year-old booking platform is fine, blaming individual chrome and safari configs for the week of failed booking attempts users have reported.

jvns.ca
web

julia evans on testing vue components in the browser without node

writeup on running vue component tests directly in the browser using qunit, a custom mountcomponent helper, async handling, and chrome devtools coverage. no node toolchain required.

fri may 152026-05-01
discourse.ubuntu.com
infraoss

canonical confirms sustained ddos as 313 team issues extortion demand

canonical's web infrastructure was knocked offline by a ddos from the 313 team, a pro-iran hacktivist group that followed up with an extortion demand. ubuntu.com, the snap store, launchpad, and security apis went down; apt mirrors stayed online.

theregister.com
systems

cpanel auth bypass cve-2026-41940 added to cisa known-exploited list

cisa confirmed on may 1 that cve-2026-41940, a cvss 9.8 authentication bypass in cpanel and whm, is being actively exploited. the flaw allows unauthenticated attackers to take full control of any affected hosting control panel.

anthropic.com
ai

anthropic opens claude security to all enterprise customers in public beta

claude security, the codebase vulnerability scanner powered by claude opus 4.7, exits limited preview and becomes available to all enterprise customers. it reasons over entire repos like a security researcher, not just matching known signatures.

techcommunity.microsoft.com
infra

microsoft agent 365 reaches general availability at $15 per user per month

microsoft agent 365, the enterprise control plane for observing, governing, and securing ai agents across microsoft and third-party platforms, goes ga on may 1. it ships alongside microsoft 365 e7, the new frontier-tier enterprise suite.

theregister.com
systemsinfra

qualcomm reveals dedicated cpu for agentic ai in the data center

qualcomm ceo cristiano amon disclosed a purpose-built data center cpu for agentic workloads, plus a custom chip engagement with an unnamed hyperscaler starting shipments in december. full specs come at the june 24 investor day.

thu apr 3062026-04-30
blog.cloudflare.cominfraai

cloudflare lets ai agents create accounts, buy domains, deploy apps

cloudflare and stripe co-designed a protocol that lets ai agents autonomously create cloudflare accounts, purchase domains, and deploy code with no human in the dashboard. you can now prompt build-and-deploy end-to-end.

github.blog
aiinfra

github copilot in visual studio gets cloud agent sessions and a debugger agent

the april visual studio update wires in cloud agent sessions that create github issues and prs on remote infra, user-level custom agent definitions that follow you across projects, and a debugger agent that validates fixes against live runtime state.

github.com
oss

hoppscotch 2026.4.0 ships collection-level pre-request scripts and smtp oauth2

the open-source api client adds pre-request and test scripts at the collection level, a desktop settings layer with manual update controls, and smtp oauth2 authentication for self-hosted deployments.

theregister.com
infra

microsoft lifts 2026 capex to $190b as ai component costs triple

microsoft q3 results beat on azure (40% growth) and ai ($37b annualized revenue), but the company raised its capex forecast by $25b to $190b, citing memory and storage prices that have more than tripled on ai infrastructure demand.

simonwillison.net
oss

zig project explains its firm ban on ai-generated contributions

loris cro's contributor poker framing: zig bans llm-authored prs because reviewing ai code builds no lasting contributor trust, and the project only bets on people who fully own their changes. simon willison covers the reasoning.

developers.cloudflare.com
infra

cloudflare deploys emergency waf rule for cpanel auth bypass cve-2026-41940

cloudflare pushed an unscheduled managed ruleset update to block cve-2026-41940, a critical cpanel and whm authentication bypass that lets unauthenticated attackers gain full administrative access to hosting panels without credentials.

wed apr 2972026-04-29
zed.dev
oss

zed editor hits 1.0 after five years

zed reaches 1.0 after five years of work on a custom rust + gpu editor architecture. ships parallel multi-agent ai workflows, edit predictions, and a zed for business tier for team deployments.

xint.io
systems

copy fail: 732 bytes to root on every major linux distro (cve-2026-31431)

an unprivileged user can chain a flaw in the kernel's authenc crypto template with af_alg and splice() to write 4 bytes into any file's page cache, then escalate to root via setuid binaries on ubuntu, amazon linux, rhel, and suse. no race needed.

theregister.com
systemsoss

fedora 44 ships with sealed bootable container images

fedora 44 introduces sealed bootable container images built on unified kernel images and systemd-boot, plus stratis 3.9.0 which can add or remove encryption on existing storage pools without recreating them.

theregister.com
oss

hashimoto pulls ghostty off github, citing platform reliability

mitchell hashimoto says github is too unreliable for serious work and is moving ghostty, his terminal emulator project, to a different host. he is evaluating commercial and foss alternatives, with a read-only mirror staying on github.

simonwillison.net
aioss

llm 0.32a0 ships: messages-and-parts model replaces prompts-and-strings

simon willison's llm library ships 0.32a0, a backwards-compatible rewrite that models inputs as a sequence of messages and outputs as a stream of typed parts (text, reasoning, tool calls, images). aligns the api with how modern llms actually work.

huggingface.co
ai

stanford team drops recursive multi-agent systems paper

the paper introduces a framework for multi-agent systems where agents can recursively spawn and coordinate sub-agents, posted to hugging face daily papers as one of apr 29's featured releases.

lwn.net
oss

python packaging council formally approved

the python steering council approved a formal governance structure for packaging: a five-member elected council with authority over packaging standards and tools, ending years of ad-hoc decision-making.

tue apr 2852026-04-28
mon apr 2762026-04-27
github.blog
ai

github removes gpt-5.3-codex from copilot student model picker

github copilot student edition no longer shows gpt-5.3-codex as a selectable model. effectively retiring the older codex model as gpt-5.5 rolls out across copilot tiers.

github.blog
infra

github copilot cloud agent starts 20% faster with custom container images

github ships a perf improvement for copilot cloud agent: launches are 20% faster when using actions custom container images. real wins for teams running automated agent workflows in ci.

vercel.com
infra

vercel hobby plan drops to 30-day deployment retention

hobby plan deployments are now capped at 30 days, with exclusions for the 10 most recent production and aliased deployments. likely a cost-control move as platform usage scales.

simonwillison.net
ai

simon willison: tracking the now-deceased openai-microsoft agi clause

long-form retrospective on the agi clause that used to give openai an out from its microsoft contracts when it claimed to have built agi. simon traces what the clause said, when it changed, and what its removal means.

lwn.net
systems

zig 0.16 explores structured concurrency

zig 0.16.0 introduces an expanded io interface based on structured concurrency principles. lwn walks through the design and what it means for zig's place vs rust and odin.

lwn.net
databasesoss

pgbackrest is no longer maintained

after thirteen years, the pgbackrest maintainer announced he is stopping work on the project, citing sponsorship challenges. one of postgres's most-used backup tools is now in limbo.

fri apr 2452026-04-24
thu apr 2382026-04-23
github.blog
infra

github copilot chat improves pull-request awareness

copilot chat in github gets better context about pull requests: discussions, review comments, and diff state are available to the chat without manually pasting them.

github.blog
infra

github's global pull-request dashboard moves to public preview

the unified cross-repo pull request dashboard is now an opt-out public preview. one place to see every pr you're an author or reviewer on, across all your orgs.

vercel.com
ai

deepseek v4 lands on vercel ai gateway

deepseek v4 pro and flash variants are live on vercel ai gateway with a 1m token context, positioned for coding and reasoning workflows on top of the cheap chinese open-weights frontier.

simonwillison.net
weboss

simon willison ships liteparse for the web: pdf text in the browser

liteparse for the web extracts pdf text fully in the browser via wasm-shimmed node libraries. no upload, no server roundtrip, works offline.

simonwillison.net
ai

simon willison gets a pelican from gpt-5.5 via the codex backdoor api

early testing of openai's gpt-5.5 via the semi-official codex backdoor api. the famed pelican-on-a-bicycle test, plus notes on the api shape and what's exposed.

lwn.net
systems

famfs, fuse, and bpf: the post-lsfmm filesystem revisions

the famfs filesystem has undergone significant revisions following discussions at the lsfmm+bpf summit. lwn covers the design changes and where the next round of work is heading.

linear.app
infra

linear agent gains mcp support

linear agent can now connect to your other tools via mcp: granola, glean, notion, posthog. moves linear closer to being an agentic product hub for engineering teams.

canonical.com
systemsoss

ubuntu 26.04 lts 'resolute raccoon' released

ubuntu 26.04 lts ships with tpm-backed full-disk encryption, livepatch on arm servers, and rust-based reimplementations of sudo and coreutils. first lts to expand memory-safe system components.

wed apr 2252026-04-22
tue apr 2132026-04-21
mon apr 2042026-04-20

Command Palette

Search for a command to run...