今日已更新 305 条资讯 | 累计 19865 条内容
关于我们

今日精选

HOT

最新资讯

共 19865 篇
第 1/994 页
AI 资讯 Dev.to

Microsoft said the patches would get bigger. I measured how much bigger.

On 9 July 2026 the head of Windows published a post about AI-powered vulnerability discovery. One line in it was a warning to customers: "As AI helps defenders discover more issues, customers will see a higher volume of security updates included in each security release." It does not say how much higher. The post runs about 1400 words and contains no numbers at all. Five days later Microsoft shipped the July package: 1150 CVEs. The number Microsoft would not put in the blog post is sitting in Microsoft's own API. The Security Update Guide publishes every monthly package as machine-readable CVRF, acknowledgments included, no key required. So I pulled twelve months of it and did the arithmetic. What the data says I sampled eight months before the ramp and four after it. Month CVEs Month CVEs 2024-07 454 2026-04 737 2025-01 343 2026-05 991 2025-04 374 2026-06 1281 2025-07 527 2026-07 1150 2025-10 427 2026-01 310 2026-02 169 2026-03 460 The eight pre-ramp months average 383 CVEs. July 2026 is 1150, so the package is 3,0 times the old normal. The baseline broke in April and peaked in June at 1281. April to July inclusive is 4159 CVEs. At the old rate that is 10,9 months of output, delivered in four. The number I am not going to use February 2026 had 169 CVEs. It is the lowest month in two years, less than half the baseline. Divide July by February and you get 6,8 times, which is a much better number for a headline. I am not using it, because choosing your denominator is how honest people produce dishonest numbers. February is an outlier, and the only reason to anchor to it is that it flatters the story. The real multiplier is 3,0. It does not need help. It is not noise The obvious objection is that volume without quality is just a bigger pile. If AI were generating low-value findings that got patched anyway, the severity distribution would sag. It did the opposite. Measure 2025-07 2026-07 CVEs 527 1150 CVSS median 6,5 7,5 CVSS mean 6,47 7,26 CVSS 7,0 and above 48,0 % 71,

Erik Rekola 2026-07-15 14:53 0 原文
AI 资讯 Dev.to

Build Firebase AI Logic Application with Antigravity CLI and Stitch MCP Server [GDE]

Build Firebase AI Logic with Antigravity CLI Note: Google Cloud credits are provided for this project. In this blog post, I demonstrate how to use the Antigravity CLI (an agentic AI assistant integrating directly with development workflows via skills and servers) to build an image analysis demo using Angular, the Firebase Hybrid & On-device Inference Web SDK, and Gemini models. Users upload an image and use a Gemini model to analyze it to generate a few alternative texts, tags, recommendations, and CSS tips to enhance the image quality. When the demo is running in Chrome 148+, the Hybrid & On-device SDK leverages the Prompt API of the on-device Gemini Nano model to perform the image-to-text tasks, and the token usage is 0. When other browsers, such as Safari or Firefox, execute the same tasks, the SDK falls back to Cloud AI (Gemini 3.5 Flash model), which consumes tokens. Next, I describe how to install the skills in my Angular project and register the Angular and Stitch MCP servers in the Antigravity CLI to develop the infrastructure, services, and UI design of my demo. 1. Workflow This is my entire workflow from implementing features, generating UI screens, and mapping the screens to Angular components. 2. Skills I installed the grill-with-docs , angular , and firebase skills in my project for the following reasons: grill-with-docs: Conduct a rigid Q&A session to generate a specification for a feature, refactor, or critical fix. AI is responsible for performing thorough analysis, and putting in more efforts to generate code to achieve the task. domain-modeling: The skill is referenced in the SKILL.md of the grill-with-docs skill, so a copy of it is required. code-review: Spawn two sub-agents to review changes to detect code smells and verify that the changes align with the specification. angular: Provide the best practices of modern Angular architecture, such as using signals and signal forms. firebase: Provide the skills for Firebase AI Logic, Firebase Remote, et

Connie Leung 2026-07-15 14:50 0 原文
AI 资讯 Dev.to

Hetzner was cheaper at every size I tested and I still chose managed Postgres

Twelve pricing tabs open. Neon, Hetzner, Supabase, Prisma, Scaleway, OVH. My database is half a gigabyte. I was comparing ten-terabyte price curves. At some point this week I typed the words "I am super lost here" about my own infrastructure. I advise companies on this exact class of decision. That sentence still came out of my hands. If you have ever spent an evening deep in provider pricing pages for a workload that fits on a USB stick from 2009, this one is for you. All numbers below come from the live pricing pages as of July 2026. Rates move, so verify before you commit. Three fears, all pointed at the wrong layers I went in worried about getting attacked, running out of space, and being locked in. All three dissolved under ten minutes of honest reading. DDoS lands on the website edge, not the database. My site already sits behind Cloudflare and Vercel, and a database is never publicly exposed. Only the app talks to it. Whichever provider I picked, that attack surface stayed identical. Here is the shape of the stack, and where each fear lives. MANAGED (what I run today) visitors ──> Cloudflare edge ──> Vercel app ──> managed Postgres [DDoS absorbed] [stateless] [never public, app-only access, provider patches, provider backups, provider on-call] SELF-HOSTED (the alternative I priced) visitors ──> Cloudflare edge ──> Vercel app ──> Hetzner CAX11 [DDoS absorbed] [stateless] [Postgres :5432 firewalled to app, SSH hardened, fail2ban + auto- patching = MINE] │ pg_dump every 6h ▼ encrypted ────> Cloudflare R2 [off-site copies] Same edge, same app, same attack surface. Everything in the right-hand box is what changes owners. Storage was a rounding error. My data is 0.5 GB. Even the cheapest self-hosted box includes 40 GB, eighty times headroom before the first extra cent. Lock-in was a phantom too. Managed Postgres is still stock Postgres. Exiting means a dump, a restore, and one connection string change in the deployment environment. Minutes of cutover, no rewrite an

Mirza Iqbal 2026-07-15 14:43 0 原文
AI 资讯 Dev.to

LingoBridge-AI: Simplifying Complex Medical Reports for Rural Patients

Body: ​Hi everyone! 👋 ​I am excited to share my latest project, LingoBridge-AI, which I have been building to solve a critical problem in rural healthcare. ​The Problem 🩺 ​In many rural areas, patients receive medical reports that are complex and filled with technical jargon. Due to this, they often struggle to understand their own health conditions, which leads to confusion and delayed medical care. ​The Solution: LingoBridge-AI 💡 ​I developed LingoBridge-AI, an AI-powered tool designed to: ​Simplify complex medical reports into easy-to-understand language. ​Translate information into local languages to ensure better accessibility for patients. ​Bridge the gap between healthcare providers and patients who have limited medical literacy. ​Tech Stack 🛠️ ​Built using Python and AI frameworks. ​Focuses on accuracy, simplicity, and user-friendly output. ​Check it out! 💻 ​You can view the source code and documentation here: 👉 [ https://github.com/cherukuriLakshmi/LingoBridge-AI ] ​I am still working on improving this, and I would love to get some feedback from this amazing community! If you have any suggestions on how to improve the AI or the user experience, please let me know in the comments below. ​Thanks for your support! ​Tags (Add these at the bottom): ai #healthtech #opensource #python #beginners

Laxmi 2026-07-15 14:41 0 原文
AI 资讯 Dev.to

The Bug That Kept Coming Back

The first sign something was wrong wasn't a crash. It was a pattern. blockly-platform was the first real thing I built with Claude Code end to end — a Blockly-based platform for university programming exercises, driven entirely through Claude Code's Telegram channel. No editor open, no repo checked out on my machine, just a chat thread. I'd describe what I wanted, Claude Code would build it on a box I never looked at directly, and I'd judge the result by clicking around the deployed app. On March 22nd, the home page came up empty. GET /api/exercises/published was returning 403. I said so in the chat; a few messages later, Claude Code said it was fixed — the endpoint hadn't been added to Spring Security's permitAll() list. I moved on, tried the category filter. Also empty, also 403, also missing from the same permitAll() list — same file, same class of fix, different line. Then the exercise detail page. Same story, third time, same day. Three days later, the like button stopped working — root cause, again: POST /api/exercises/*/like had never been whitelisted either. Four times, one file, one recurring gap. None of these were hard bugs. Each one, in isolation, is a one-line fix a competent engineer makes without thinking twice. What bothered me, once I noticed the pattern, was that I hadn't noticed it as it happened. I had no diff to scroll through, no file to glance at and think "wait, didn't we just fix this exact class of thing twice already?" I had a chat log and a live app to poke at. The fourth fix looked, from where I sat, exactly like the first: a message telling me it was resolved. That was the moment I started to suspect the problem wasn't the model. It was that nobody — not the model, not me — had anything to look at. Why chat-only vibe coding breaks down Here's what makes that pattern more interesting than "the AI made a mistake": every one of those four fixes was correct. Claude Code read the error, found the missing permitAll() entry, added it, and move

Jerome 2026-07-15 14:41 0 原文
AI 资讯 Dev.to

Is Being Full-Stack Really Necessary in the Age of AI?

In an AI-powered reporting project, the backend API response time suddenly jumped to 8 seconds; I couldn't find a solution by examining only the frontend code to isolate the issue. This experience highlighted how the lack of a full-stack developer, who can see API, data layer, and model integration simultaneously, can slow down a project. Below, I will analyze step-by-step whether being full-stack is truly necessary in the age of AI. Why is Being Full-Stack Necessary in the Age of AI? The primary benefit of being full-stack is enabling a single developer to have end-to-end control of AI systems. This is because training a model, saving it to a vector database, and serving it via a REST API all occur at different layers; each of these layers might require a separate area of expertise. However, a full-stack developer, by being able to see the entire process from the data collection script ( python collect_data.py ) to the model service ( uvicorn app:app --host 0.0.0.0 ), can catch integration errors faster. Let's illustrate this advantage with a concrete example: within a project, I automated model retraining using a systemd timer and saw “Active: active (waiting)” in the systemctl status model-retrain.timer output; however, the API layer's GET /predict response was still returning the old model. Identifying the issue was only possible by simultaneously examining the timer configuration and the API code; without switching between separate teams. Summary: Full-stack proficiency provides the ability to detect and resolve potential incompatibilities within the complex data-model-service chain of AI projects at a single point. How Do Full-Stack Skills Contribute to AI Projects? A full-stack developer keeps all steps, from data preprocessing ( pandas script) to the model service ( FastAPI endpoint), within a single codebase. This simplifies version control and the CI/CD workflow. For example, when I define a postgres service, a redis cache, and an api service within docker

Mustafa ERBAY 2026-07-15 14:40 0 原文
AI 资讯 Dev.to

WP-CLI : 20 commandes essentielles pour administrer WordPress en 2026

Cet article a été publié à l'origine sur WP Admin Lab , le journal du web technique en français. WP-CLI est l'interface en ligne de commande officielle de WordPress, un outil indispensable pour tout développeur ou administrateur gérant des sites WordPress en production. Contrairement à l'interface graphique du tableau de bord, WP-CLI permet d'exécuter des opérations en masse, d'automatiser des tâches répétitives et d'intervenir sur des sites inaccessibles via le navigateur. En 2026, maîtriser WP-CLI est devenu une compétence fondamentale pour la gestion professionnelle de parcs WordPress, que ce soit pour des agences gérant des dizaines de sites ou pour des développeurs travaillant sur des environnements de staging et de production. Installation et configuration de WP-CLI en 2026 L'installation de WP-CLI s'effectue en téléchargeant le fichier Phar officiel depuis le dépôt GitHub du projet et en le rendant exécutable à l'échelle du système. Sur les serveurs Linux mutualisés ou dédiés, la commande curl -O permet de récupérer le binaire, que l'on déplace ensuite vers /usr/local/bin/wp avec les droits d'exécution appropriés. Les hébergeurs comme Kinsta ou WP Engine proposent WP-CLI préinstallé dans leurs environnements SSH, facilitant la prise en main immédiate. La vérification de l'installation avec wp -info fournit les détails de version, l'interpréteur PHP utilisé et le chemin vers le fichier de configuration wp-config.php. La configuration avancée de WP-CLI passe par le fichier wp-cli.yml placé à la racine du projet WordPress. Ce fichier YAML permet de définir l'URL du site, le chemin d'installation, les alias de serveurs distants pour les déploiements SSH, et des paramètres par défaut pour certaines commandes. Les alias SSH dans wp-cli.yml sont particulièrement puissants : ils permettent d'exécuter des commandes WP-CLI sur un serveur distant exactement comme en local, avec une syntaxe du type wp @production plugin list. Cette fonctionnalité simplifie considérableme

WP Admin Lab 2026-07-15 14:38 0 原文
AI 资讯 Dev.to

What a Vibe Coding Security Scanner Can (and Cannot) Tell You

AI-assisted builders can take an idea from prompt to production in a weekend. That speed is useful, but it also compresses the part of the process where someone normally reviews deployment settings, browser-visible secrets, authorization boundaries, and recovery plans. A public security scanner is a good first pass for that problem. It is also easy to misunderstand. A clean public scan does not mean an application is secure, and a warning does not always mean a vulnerability is exploitable. The useful question is not “Did the scanner pass my app?” It is “What evidence could this scanner actually observe?” Layer 1: the public deployment surface A passive scanner can request the same resources that a normal visitor can reach. Depending on its scope, it may inspect: HTTP security headers such as Content-Security-Policy and Strict-Transport-Security HTTPS behavior and redirect consistency Public JavaScript bundles for credential-shaped strings Public source maps that expose original source structure Common sensitive paths such as environment files or repository metadata Cookie attributes and other response-level deployment signals These checks are valuable because they test the deployed result, not the configuration you intended to ship. For example, a repository may contain a CSP configuration while the CDN response does not. A source map may be disabled in one build configuration but still appear in production. A key may be stored safely on the server in most code paths while one client bundle accidentally contains a privileged token. The deployed surface is where those mistakes become observable. Layer 2: source-code review A public URL cannot reveal every control behind an application. Source review or SAST can inspect code paths, configuration, data flow, and dangerous implementation patterns that never appear in a normal response. This is where you can answer questions such as: Is authorization enforced on the server? Can a user change an object ID and read anothe

Check My Vibe 2026-07-15 14:38 0 原文
AI 资讯 Dev.to

LLM Latency Budget: Make AI Workflows Feel Fast Without Guessing

A slow AI feature rarely fails all at once. It starts with a longer prompt, then a bigger retrieval result, then one more tool call, then a retry path nobody measured. The demo still works, but users feel the delay before your dashboard explains it. That is why small AI product teams need an LLM latency budget before they start optimizing. Not a vague goal like “make it faster.” A budget says how much time each stage is allowed to spend, what happens when it exceeds that limit, and which user experience is still acceptable when the model, retrieval layer, or tool chain slows down. The payoff is practical: you stop guessing where the delay lives, stop overpaying for wasted work, and make AI workflows feel reliable even when traffic, context, and providers are messy. Why latency budgets matter now Recent AI platform news points in one direction: AI workflows are becoming longer, more tool-heavy, and more expensive to run without discipline. A current news scan showed several signals builders should notice: Production LLM cost and latency guidance is shifting from “add more compute” to “remove wasted work.” Agent environments are being designed for long-running background tasks, persistent state, and cheaper idle time. New model releases emphasize tool use, computer use, multimodal context, subagents, and larger context windows. AI gateways and enterprise platforms are adding cost controls, routing, caching, audit trails, and usage limits. Developers are asking more practical questions about why AI coding and agent workflows interrupt flow with repeated prompt-wait-evaluate loops. For AI SaaS builders, this means latency is no longer just a model selection problem. It is a workflow design problem. A simple chat completion might have one bottleneck. A real AI workflow may include: request queueing auth and tenant checks prompt assembly memory lookup vector search reranking model routing tool calls browser or API actions structured output validation fallback attempts str

Jack M 2026-07-15 14:37 0 原文
AI 资讯 Dev.to

Sanity vs Directus for Next.js in 2026: An Honest Comparison

Sanity vs Directus is a comparison that comes up more than you'd expect on technical forums in 2026, usually from teams who already have a Postgres database running and are wondering why they'd pay for a separate content lake when Directus can wrap what they have. It's a fair question. These two tools solve adjacent problems but from genuinely different starting points, and the right choice depends heavily on whether your content is primarily relational data or editorial content. What each tool actually is Sanity is a hosted content platform. Your content lives in Sanity's managed "content lake" — a document store with real-time collaboration, a CDN-backed asset pipeline, and GROQ as the query language. You define schemas in code, deploy a customisable Studio, and talk to Sanity's API from your Next.js app. You do not manage infrastructure. Directus is an open-source data platform that wraps any existing SQL database — Postgres, MySQL, SQLite, MS SQL — and exposes it through a REST API, a GraphQL endpoint, and a web-based admin UI. Schema changes happen in the admin UI (or via migrations), and your data stays in your own database. You can self-host entirely or use Directus Cloud. That distinction — hosted content lake vs database-wrapper — drives nearly every practical difference between them. Data ownership and where your content lives With Sanity, your content lives in Sanity's infrastructure. You can export it via the export API, but you are operationally dependent on Sanity's uptime and their CDN. For most product teams that's fine — Sanity has been reliable and their SLA on Growth/Enterprise tiers is solid. But if you're in a regulated industry, have strict data residency requirements, or your client contract requires them to own the database, it's a real constraint. With Directus, the database is yours from day one. You point Directus at a Postgres instance on your own infrastructure (or a managed one like Supabase, Neon, or Railway), and Directus adds the API

Nayan Kyada 2026-07-15 14:34 0 原文
AI 资讯 Dev.to

# Building a Lightweight Product Filter with Vanilla JavaScript

Building a Lightweight Product Filter with Vanilla JavaScript While building a small e-commerce project, I wanted users to filter products instantly without refreshing the page. Instead of relying on a frontend framework, I opted for a simple solution using HTML data attributes, vanilla JavaScript, and a little CSS. The goal was straightforward: let visitors filter items by size while keeping the interface fast, responsive, and easy to maintain. HTML Structure Each product card stores its information in data-* attributes. This keeps the markup clean and makes filtering straightforward. <div class= "filters" > <button class= "filter-btn" data-filter= "all" > All </button> <button class= "filter-btn" data-filter= "small" > S </button> <button class= "filter-btn" data-filter= "medium" > M </button> <button class= "filter-btn" data-filter= "large" > L </button> </div> <div class= "product-grid" > <div class= "product-card" data-size= "medium" data-style= "cargo" > Cargo Shorts </div> <div class= "product-card" data-size= "large" data-style= "chino" > Chino Shorts </div> <!-- More product cards --> </div> Using data attributes means you can add new filter categories later without changing your overall structure. JavaScript Filtering Logic The filtering logic listens for button clicks and simply shows or hides product cards based on the selected size. const filterButtons = document . querySelectorAll ( " .filter-btn " ); const productCards = document . querySelectorAll ( " .product-card " ); filterButtons . forEach (( button ) => { button . addEventListener ( " click " , () => { const filterValue = button . dataset . filter ; productCards . forEach (( card ) => { const cardSize = card . dataset . size ; if ( filterValue === " all " || cardSize === filterValue ) { card . classList . remove ( " hidden " ); } else { card . classList . add ( " hidden " ); } }); filterButtons . forEach (( btn ) => btn . classList . remove ( " active " )); button . classList . add ( " active "

Rock 2026-07-15 14:32 0 原文
AI 资讯 Dev.to

An Introduction to Neural Networks

Hi guys ! I'm a new developer who's interested in data science and artificial intelligence. To showcase what I learnt thus far, I've started writing articles, with my first one being published here ! One of the most difficult parts of getting into machine learning was the overload of terminology that tutorials had, even when explaining basic concepts such as how a neural network itself would function. Because of this, I've written an article (see above) that simplifies it while ensuring the main concepts are sufficiently explained; it requires no mathematical background and will only take less than 5 minutes to read ! I hope you find it informative and well written, and I highly welcome any suggestions or corrections that might be suggested to improve my future articles !

Ravindu Goonewardena 2026-07-15 14:32 0 原文
AI 资讯 Product Hunt

Enlarger

Image upscaling w/o the AI look. Offline, one-time purchase. Discussion | Link

Jaakko Hirvioja 2026-07-15 13:35 0 原文