今日已更新 339 条资讯 | 累计 19899 条内容
关于我们

标签:#AI

找到 3510 篇相关文章

AI 资讯

AI Is Not Replacing Marketers. It Is Replacing Marketers With No Taste.

There's a specific kind of marketer who should be nervous right now. Not the strategist. Not the writer with a point of view. Not the creative director who can look at forty options and know, instantly, which one is alive and which thirty-nine are furniture. The one who should be nervous is the marketer whose entire job was being a slow version of a machine. You know this person. Maybe you've been this person — most of us have, at some point, in some job. The one whose week was resizing banners, rewording the same caption in six formats, pulling a report nobody reads, and calling a meeting to discuss the meeting. Their output was never brilliant, but it was there, and for twenty years, "there" was enough. Volume looked like value. Busy looked like good. AI just ended that arrangement. Quietly, without a memo. The excuse economy is closing For most of modern marketing, mediocrity had excellent cover. A bad campaign could hide behind timelines. A weak idea could hide behind budget. "We didn't have the resources" was the most useful sentence in the industry, and everyone accepted it, because everyone was using it. Now a two-person studio in Amman or Manila or Medellín can produce, in an afternoon, what used to require a floor of people and a quarter of runway. The drafts are instant. The variations are infinite. The production bottleneck — the thing entire careers were built on managing — is basically gone. Which means the only thing left to judge is the thing that was always the actual point: is the idea any good? That question used to arrive at the end of a long process, softened by exhaustion and sunk cost. Now it arrives immediately, naked, on day one. There's nowhere for a bad idea to hide anymore, because there's no longer a six-week production schedule standing in front of it. What the machine actually can't do Here's what gets lost in the panic. AI can generate. It cannot choose. It can write you a hundred taglines. It cannot tell you which one will make a foun

2026-07-15 原文 →
AI 资讯

Where ACC Fits in the Agent Stack: Transport, Runtime Control, and Business Authority

Connecting an AI agent to a tool is becoming easier. Letting that agent operate a real business system responsibly is still a different problem. Imagine an existing commerce system with APIs for reading orders, changing inventory, creating refunds, and disabling staff accounts. OpenAPI can describe the endpoints. A tool protocol can make them discoverable. An agent framework can select an operation and generate arguments. But those pieces do not, by themselves, answer several business questions: Which operations may be exposed to an agent-facing surface? Which invocation must carry a trusted acting subject? Which operation is high consequence? When does an invocation express approval intent? Which calls need stronger audit handling? Which execution properties should a runtime know before it invokes the API? These questions sit between tool connectivity and final business authorization. That is the layer the Agent Capability Contract, or ACC, is designed to describe. Start with a concrete operation Consider this API operation: paths : /orders/{order_id}/refund : post : operationId : createRefund parameters : - in : path name : order_id required : true schema : type : string requestBody : required : true content : application/json : schema : type : object required : [ amount ] properties : amount : type : number minimum : 0 This is enough to describe how to call the operation. It is not enough to describe how an agent-facing system should treat it. ACC adds a small, machine-readable declaration next to the operation: x-agent-capability : version : 1 enabled : true scope : refund.create risk : level : high subject : required : true approval : required : true when : - param : amount op : " >" value : 1000 audit : sensitive : true execution : readonly : false idempotent : true timeout_ms : 10000 The declaration does not grant the refund. It tells a compatible runtime how the operation should be presented and governed before the business system receives the call. The miss

2026-07-15 原文 →
AI 资讯

Microsoft said the patches would get bigger. I measured how much bigger.

On 9 July 2026 the head of Windows published a post about AI-powered vulnerability discovery. One line in it was a warning to customers: "As AI helps defenders discover more issues, customers will see a higher volume of security updates included in each security release." It does not say how much higher. The post runs about 1400 words and contains no numbers at all. Five days later Microsoft shipped the July package: 1150 CVEs. The number Microsoft would not put in the blog post is sitting in Microsoft's own API. The Security Update Guide publishes every monthly package as machine-readable CVRF, acknowledgments included, no key required. So I pulled twelve months of it and did the arithmetic. What the data says I sampled eight months before the ramp and four after it. Month CVEs Month CVEs 2024-07 454 2026-04 737 2025-01 343 2026-05 991 2025-04 374 2026-06 1281 2025-07 527 2026-07 1150 2025-10 427 2026-01 310 2026-02 169 2026-03 460 The eight pre-ramp months average 383 CVEs. July 2026 is 1150, so the package is 3,0 times the old normal. The baseline broke in April and peaked in June at 1281. April to July inclusive is 4159 CVEs. At the old rate that is 10,9 months of output, delivered in four. The number I am not going to use February 2026 had 169 CVEs. It is the lowest month in two years, less than half the baseline. Divide July by February and you get 6,8 times, which is a much better number for a headline. I am not using it, because choosing your denominator is how honest people produce dishonest numbers. February is an outlier, and the only reason to anchor to it is that it flatters the story. The real multiplier is 3,0. It does not need help. It is not noise The obvious objection is that volume without quality is just a bigger pile. If AI were generating low-value findings that got patched anyway, the severity distribution would sag. It did the opposite. Measure 2025-07 2026-07 CVEs 527 1150 CVSS median 6,5 7,5 CVSS mean 6,47 7,26 CVSS 7,0 and above 48,0 % 71,

2026-07-15 原文 →
AI 资讯

Build Firebase AI Logic Application with Antigravity CLI and Stitch MCP Server [GDE]

Build Firebase AI Logic with Antigravity CLI Note: Google Cloud credits are provided for this project. In this blog post, I demonstrate how to use the Antigravity CLI (an agentic AI assistant integrating directly with development workflows via skills and servers) to build an image analysis demo using Angular, the Firebase Hybrid & On-device Inference Web SDK, and Gemini models. Users upload an image and use a Gemini model to analyze it to generate a few alternative texts, tags, recommendations, and CSS tips to enhance the image quality. When the demo is running in Chrome 148+, the Hybrid & On-device SDK leverages the Prompt API of the on-device Gemini Nano model to perform the image-to-text tasks, and the token usage is 0. When other browsers, such as Safari or Firefox, execute the same tasks, the SDK falls back to Cloud AI (Gemini 3.5 Flash model), which consumes tokens. Next, I describe how to install the skills in my Angular project and register the Angular and Stitch MCP servers in the Antigravity CLI to develop the infrastructure, services, and UI design of my demo. 1. Workflow This is my entire workflow from implementing features, generating UI screens, and mapping the screens to Angular components. 2. Skills I installed the grill-with-docs , angular , and firebase skills in my project for the following reasons: grill-with-docs: Conduct a rigid Q&A session to generate a specification for a feature, refactor, or critical fix. AI is responsible for performing thorough analysis, and putting in more efforts to generate code to achieve the task. domain-modeling: The skill is referenced in the SKILL.md of the grill-with-docs skill, so a copy of it is required. code-review: Spawn two sub-agents to review changes to detect code smells and verify that the changes align with the specification. angular: Provide the best practices of modern Angular architecture, such as using signals and signal forms. firebase: Provide the skills for Firebase AI Logic, Firebase Remote, et

2026-07-15 原文 →
AI 资讯

LingoBridge-AI: Simplifying Complex Medical Reports for Rural Patients

Body: ​Hi everyone! 👋 ​I am excited to share my latest project, LingoBridge-AI, which I have been building to solve a critical problem in rural healthcare. ​The Problem 🩺 ​In many rural areas, patients receive medical reports that are complex and filled with technical jargon. Due to this, they often struggle to understand their own health conditions, which leads to confusion and delayed medical care. ​The Solution: LingoBridge-AI 💡 ​I developed LingoBridge-AI, an AI-powered tool designed to: ​Simplify complex medical reports into easy-to-understand language. ​Translate information into local languages to ensure better accessibility for patients. ​Bridge the gap between healthcare providers and patients who have limited medical literacy. ​Tech Stack 🛠️ ​Built using Python and AI frameworks. ​Focuses on accuracy, simplicity, and user-friendly output. ​Check it out! 💻 ​You can view the source code and documentation here: 👉 [ https://github.com/cherukuriLakshmi/LingoBridge-AI ] ​I am still working on improving this, and I would love to get some feedback from this amazing community! If you have any suggestions on how to improve the AI or the user experience, please let me know in the comments below. ​Thanks for your support! ​Tags (Add these at the bottom): ai #healthtech #opensource #python #beginners

2026-07-15 原文 →
AI 资讯

The Bug That Kept Coming Back

The first sign something was wrong wasn't a crash. It was a pattern. blockly-platform was the first real thing I built with Claude Code end to end — a Blockly-based platform for university programming exercises, driven entirely through Claude Code's Telegram channel. No editor open, no repo checked out on my machine, just a chat thread. I'd describe what I wanted, Claude Code would build it on a box I never looked at directly, and I'd judge the result by clicking around the deployed app. On March 22nd, the home page came up empty. GET /api/exercises/published was returning 403. I said so in the chat; a few messages later, Claude Code said it was fixed — the endpoint hadn't been added to Spring Security's permitAll() list. I moved on, tried the category filter. Also empty, also 403, also missing from the same permitAll() list — same file, same class of fix, different line. Then the exercise detail page. Same story, third time, same day. Three days later, the like button stopped working — root cause, again: POST /api/exercises/*/like had never been whitelisted either. Four times, one file, one recurring gap. None of these were hard bugs. Each one, in isolation, is a one-line fix a competent engineer makes without thinking twice. What bothered me, once I noticed the pattern, was that I hadn't noticed it as it happened. I had no diff to scroll through, no file to glance at and think "wait, didn't we just fix this exact class of thing twice already?" I had a chat log and a live app to poke at. The fourth fix looked, from where I sat, exactly like the first: a message telling me it was resolved. That was the moment I started to suspect the problem wasn't the model. It was that nobody — not the model, not me — had anything to look at. Why chat-only vibe coding breaks down Here's what makes that pattern more interesting than "the AI made a mistake": every one of those four fixes was correct. Claude Code read the error, found the missing permitAll() entry, added it, and move

2026-07-15 原文 →
AI 资讯

What a Vibe Coding Security Scanner Can (and Cannot) Tell You

AI-assisted builders can take an idea from prompt to production in a weekend. That speed is useful, but it also compresses the part of the process where someone normally reviews deployment settings, browser-visible secrets, authorization boundaries, and recovery plans. A public security scanner is a good first pass for that problem. It is also easy to misunderstand. A clean public scan does not mean an application is secure, and a warning does not always mean a vulnerability is exploitable. The useful question is not “Did the scanner pass my app?” It is “What evidence could this scanner actually observe?” Layer 1: the public deployment surface A passive scanner can request the same resources that a normal visitor can reach. Depending on its scope, it may inspect: HTTP security headers such as Content-Security-Policy and Strict-Transport-Security HTTPS behavior and redirect consistency Public JavaScript bundles for credential-shaped strings Public source maps that expose original source structure Common sensitive paths such as environment files or repository metadata Cookie attributes and other response-level deployment signals These checks are valuable because they test the deployed result, not the configuration you intended to ship. For example, a repository may contain a CSP configuration while the CDN response does not. A source map may be disabled in one build configuration but still appear in production. A key may be stored safely on the server in most code paths while one client bundle accidentally contains a privileged token. The deployed surface is where those mistakes become observable. Layer 2: source-code review A public URL cannot reveal every control behind an application. Source review or SAST can inspect code paths, configuration, data flow, and dangerous implementation patterns that never appear in a normal response. This is where you can answer questions such as: Is authorization enforced on the server? Can a user change an object ID and read anothe

2026-07-15 原文 →
AI 资讯

LLM Latency Budget: Make AI Workflows Feel Fast Without Guessing

A slow AI feature rarely fails all at once. It starts with a longer prompt, then a bigger retrieval result, then one more tool call, then a retry path nobody measured. The demo still works, but users feel the delay before your dashboard explains it. That is why small AI product teams need an LLM latency budget before they start optimizing. Not a vague goal like “make it faster.” A budget says how much time each stage is allowed to spend, what happens when it exceeds that limit, and which user experience is still acceptable when the model, retrieval layer, or tool chain slows down. The payoff is practical: you stop guessing where the delay lives, stop overpaying for wasted work, and make AI workflows feel reliable even when traffic, context, and providers are messy. Why latency budgets matter now Recent AI platform news points in one direction: AI workflows are becoming longer, more tool-heavy, and more expensive to run without discipline. A current news scan showed several signals builders should notice: Production LLM cost and latency guidance is shifting from “add more compute” to “remove wasted work.” Agent environments are being designed for long-running background tasks, persistent state, and cheaper idle time. New model releases emphasize tool use, computer use, multimodal context, subagents, and larger context windows. AI gateways and enterprise platforms are adding cost controls, routing, caching, audit trails, and usage limits. Developers are asking more practical questions about why AI coding and agent workflows interrupt flow with repeated prompt-wait-evaluate loops. For AI SaaS builders, this means latency is no longer just a model selection problem. It is a workflow design problem. A simple chat completion might have one bottleneck. A real AI workflow may include: request queueing auth and tenant checks prompt assembly memory lookup vector search reranking model routing tool calls browser or API actions structured output validation fallback attempts str

2026-07-15 原文 →
AI 资讯

An Introduction to Neural Networks

Hi guys ! I'm a new developer who's interested in data science and artificial intelligence. To showcase what I learnt thus far, I've started writing articles, with my first one being published here ! One of the most difficult parts of getting into machine learning was the overload of terminology that tutorials had, even when explaining basic concepts such as how a neural network itself would function. Because of this, I've written an article (see above) that simplifies it while ensuring the main concepts are sufficiently explained; it requires no mathematical background and will only take less than 5 minutes to read ! I hope you find it informative and well written, and I highly welcome any suggestions or corrections that might be suggested to improve my future articles !

2026-07-15 原文 →
AI 资讯

Knowledge-and-Memory-Management v0.0.2: Portable Knowledge Collection and Memory Management

Knowledge-and-Memory-Management v0.0.2 is out, delivering a clean release that prioritizes portability and modularity. This version shifts from hardcoded personal paths to $AGENT_HOME , making your knowledge pipelines reproducible across environments. If you’re building autonomous systems that need to ingest web content, video transcripts, or articles, this is the update you’ve been waiting for. The core design separates collection from memory management. The knowledge_collector module handles ingestion, while memory_manager handles storage, retrieval, and decay. The $AGENT_HOME environment variable anchors all runtime paths—no more hardcoded /home/user strings. Set it once, and your agents can carry their knowledge base anywhere. Knowledge Collection: Web, Video, Articles The collector supports three primary sources: Web : Scrapes and parses HTML, extracting body text and metadata. Handles rate limiting and retry logic. Video : Takes a YouTube URL, downloads captions (if available) or generates transcripts via Whisper integration. Articles : Parses RSS feeds or direct PDF links, chunking content by sections. All sources normalize into a KnowledgeEntry dict: {source, timestamp, content, embeddings} . The collector writes raw entries to $AGENT_HOME/knowledge/raw/ and passes them to the memory manager for processing. Memory Management with $AGENT_HOME The memory manager is where the clean release shines. Previous versions used os.path.expanduser("~/knowledge") , which broke across systems. v0.0.2 requires $AGENT_HOME to be set, then constructs all paths relative to it: $AGENT_HOME/memory/ stores persistent memories. $AGENT_HOME/knowledge/ holds raw and processed collections. $AGENT_HOME/config/ contains source definitions and memory decay rules. This design lets you ship a single agent.env file with AGENT_HOME=/opt/myagent or %AGENT_HOME%\data —no platform-specific configuration. The memory manager indexes entries by semantic embeddings (via a pluggable model provider

2026-07-15 原文 →
AI 资讯

i've been building platforms first for 25 years. i think it's wrong now.

i've been that person. standing in front of leadership with an 18-month architecture diagram, explaining why we need six months of infrastructure before a user touches a single feature. and it made sense. for 25 years it made sense. writing boilerplate was expensive. every feature came with a tax — database migrations, routing config, auth wiring. build a shared platform first, pay that tax once. the roadmap justified the investment. then i saw a stat that wouldn't leave me alone. roughly 60% of features on a six-month roadmap are obsolete by launch. not slightly off. obsolete. the customer's problem shifted. the market moved. you spent six months building a precise answer to a question nobody asks anymore. the longer you invest before showing something real, the more expensive it is to admit you were wrong. so you don't. you ship the wrong thing and call it "on schedule." i've done it. i've watched it happen. AI didn't create this problem. but agents are making it impossible to ignore. the 82-point gap mckinsey's 2025 survey: 88% of organizations use AI. only 6% see real bottom-line impact. that 82-point gap isn't about tools. everyone has the same tools. but something shifted in their may 2026 report. they describe agents working overnight — enriching requirements, generating code, packaging outputs for morning review. they call it the "24-hour sprint." leading organizations see 3-5x productivity with 60% smaller teams. a product owner logs in at 9am and finds a feature went from requirements to tested code overnight. nobody worked late. agents did. that's not autocomplete. that's a different delivery model. and here's what most teams miss: it only works when the work is small, bounded, and complete. agents need to know where a task starts and ends. horizontal platform architectures don't give them that. the codebase is the prompt jeremy d. miller built wolverine for .NET. in june 2026 he wrote: "the structure of your codebase is now, effectively, part of the prom

2026-07-15 原文 →
AI 资讯

i tested an ai incident commander against 15 real outages — 88% pass rate

i've been the incident commander who forgot to write down the first 20 minutes of the timeline because i was too busy reading logs. more than once. the war room is chaos — five engineers pasting logs, someone asking if the deploy from 30 minutes ago is related, nobody documenting anything. you start logging events in a doc while reading error logs while drafting a stakeholder update while deciding whether to rollback. you're the bottleneck. not because you're bad at your job — because you're doing four jobs at once. i got tired of watching smart people spend their incident energy on documentation instead of decisions. so i built ai-incident-commander — a CLI tool that handles the mechanical parts. timeline, updates, remediation research, postmortem draft. you make the calls. it does the paperwork. runs on your laptop with a local LLM. no API keys, no cloud, no docker. github.com/deghosal-2026/ai-incident-commander — MIT licensed. what it does one command: pip install git+https://github.com/deghosal-2026/ai-incident-commander.git incident-commander simulate --scenario db-connection-pool --auto-approve 8 pre-built scenarios ship with it. database connection pool, bad deploy, memory leak, cert expiry — the usual suspects. no real data needed to try it. for actual incidents, you point it at a directory with your alert, logs, messages, and github PRs. it outputs 10 markdown files: timeline, stakeholder updates, comms blocks you can paste straight into slack, remediation suggestions, a blameless postmortem, and a cost report. the safety part was the real engineering. three points in the pipeline where the graph pauses and waits for you to say yes — stakeholder update, remediation, postmortem. the AI never ships anything without approval. every remediation comes with a citation. suggestions below 0.7 confidence get suppressed. the postmortem prompt enforces blameless language. all AI content gets labeled [AI-GENERATED — review carefully] . and it never executes anything. i

2026-07-15 原文 →
AI 资讯

From $39/Month to $1: How I Moved 10+ Sites Off Hostinger for Free

Last month I finally did some math I'd been putting off: how much I was actually paying to keep a bunch of sites online. $39/month on Hostinger (about R$200, I'm in Brazil). For hosting 10+ sites: product landing pages, blogs, a couple of small tools. Every month, on autopilot, straight off the card. Then I asked myself the obvious question I'd been avoiding: out of those 10+ sites, how many actually need a server running 24/7? Answer: none. What these sites actually are A product landing page doesn't need PHP processing a request. A blog doesn't need a database query on every page view. A marketing site doesn't change its content every second. That's HTML, CSS, and JS you can generate once and serve from a CDN. In other words: a static site. A few real examples I migrated: eduardovillao.me → my personal blog, built with Astro formroute.dev → a SaaS landing page, plain HTML wpfeatureloop.com → a dev tool landing page, plain HTML Three different kinds of sites (blog, SaaS, dev tool), two different stacks, and none of them needed a server running around the clock just to exist. The reason I hadn't migrated sooner wasn't technical. It was inertia. "It's already paid for, it already works, leave it alone." Classic. The migration I moved everything to Cloudflare Pages . The reasoning is boring because it's so simple: it's free, global CDN, automatic SSL, Git-based deploys, custom domains at no extra cost. For static sites, there's really nothing to debate. The process, in short: Each site became a repo (or a folder inside a monorepo, depending on the case) Connected the repo to Cloudflare Pages Set up the build, mostly plain HTML, Astro for the blog where I wanted content collections and a proper writing workflow Pointed the domain, SSL came up on its own Cancelled hosting for that domain on Hostinger Repeated that site by site. No magic, just repetitive work, but each one took about 20-30 minutes. (If you want the technical deep dive on one specific migration, including

2026-07-15 原文 →
AI 资讯

How to run your first OpenAI-compatible API call with curl, Python, and Node.js

When you are testing an OpenAI-compatible API endpoint, the fastest path is not to wire it into a full app immediately. Start with one small request, confirm the base URL, API key, model name, and response shape, then move the working call into your product. I put together a compact examples repo for that exact first-call workflow: https://github.com/OriginStartAI/openai-compatible-api-examples It includes curl, Python, Node.js, streaming responses, JSON structured output, migration notes, and a small error reference. 1. Set environment variables first Keep credentials out of source code and use environment variables: ORIGINSTARTAI_API_KEY = your_api_key_here ORIGINSTARTAI_BASE_URL = https://your-api-base-url/v1 ORIGINSTARTAI_MODEL = your_enabled_model The important parts are simple: base_url or baseURL points to your OpenAI-compatible endpoint. api_key or apiKey is your provider key. model must be enabled for your account. Streaming support should be tested separately. 2. Test with curl Curl is useful because it removes SDK behavior from the equation: curl " $ORIGINSTARTAI_BASE_URL /chat/completions" \ -H "Authorization: Bearer $ORIGINSTARTAI_API_KEY " \ -H "Content-Type: application/json" \ -d '{ "model": "' " $ORIGINSTARTAI_MODEL " '", "messages": [ {"role": "user", "content": "Say hello from OriginStartAI"} ] }' If this works, your endpoint, key, and model are probably configured correctly. 3. Then test Python from openai import OpenAI import os client = OpenAI ( api_key = os . environ [ " ORIGINSTARTAI_API_KEY " ], base_url = os . environ [ " ORIGINSTARTAI_BASE_URL " ], ) response = client . chat . completions . create ( model = os . environ [ " ORIGINSTARTAI_MODEL " ], messages = [{ " role " : " user " , " content " : " Write one friendly onboarding sentence. " }], ) print ( response . choices [ 0 ]. message . content ) 4. Then test Node.js import OpenAI from " openai " ; const client = new OpenAI ({ apiKey : process . env . ORIGINSTARTAI_API_KEY , baseURL : p

2026-07-15 原文 →
AI 资讯

Stratagems #14: Leo Found an AI Leak. He Wasn't the First to Find It.

Take the opportunity to pilfer a goat. — The 36 Stratagems, Take the Opportunity to Pilfer a Goat Previously on this series: #5: Leo Walked Into a Burning House. He Walked Out With a Client. — At 1 AM, Leo received an anonymous message and drove across town to fix a competitor's outage. A second message followed — a screenshot with a name: Automated Compliance Lab. He didn't remember the acronym. He didn't delete the screenshot. #10: Lena Watched a Team Adopt Her AI Template. Leo Didn't Know the Knife Was in the Contract. — Lena joined CoreStack as a consultant and built Leo a reporting template. Leo thought she was there to help. Five weeks later the template went live. Six months later the data baseline was locked. He only then realized he'd been inside her palm the whole time. Taken down by a smile. This was a few months later. The Archive Cleanup SOC 2 Type II renewal had just passed. The auditors were gone. CoreStack's compliance team was doing the post-audit archive — classifying every record produced during the audit and tagging them with retention periods. Leo got the cleanup part. The training pipeline's cache directory. The cleanup cron job hadn't run for a week — nobody noticed. When he looked inside, the output folder had a few records with train_ prefixes mixed in among inference outputs. One of them had a model_version that wasn't CoreStack's own. model_version : " acl-train-2026q2-v3" Leo copied that line out. Didn't delete it. Didn't report it. Dropped it into a folder called _misc/ .Set a quiet keyword alert for "acl-train" before closing the terminal. He noticed the naming convention wasn't FinOptima's — FinOptima used fin-model- plus timestamps. acl- — he'd seen that prefix somewhere before. Couldn't place it. He didn't let himself try. He filed it away. Went back to archiving. The Trace Not every CTO digs through cache write logs during archive cleanup. He did. He spent two hours cross-referencing FinOptima's API call records against CoreStack's

2026-07-15 原文 →
AI 资讯

Dependabot learns to wait: version-update PRs now sit for three days by default

Every time your bot merges a two-hour-old release into main, you are trusting a stranger's freshly published tarball to be the same one everyone else is looking at. Sometimes that release is a real bugfix. Sometimes it is a maintainer who fat-fingered a token, or an attacker who did not, and either way your CI cheerfully rebases against it before anyone had a chance to notice. On 2026-07-14, GitHub added a pause. Not a big one. But a real one. The actual change Dependabot version updates now sit on their hands for three days after a package is published. According to the GitHub Changelog, a release has to have been available on its registry for at least that long before Dependabot will open a version-update pull request against your repository. The cooldown is on by default and requires no configuration. It applies across every ecosystem Dependabot supports on github.com, and GitHub Enterprise Server picks it up in GHES 3.23. Security updates are exempt. If a fix for a known vulnerability lands, Dependabot will still open the PR the moment it can, because a three-day delay on the patch defeats the entire point of shipping the patch. That single carve-out is the whole design. Why three days is doing so much work Three days is not enough time to audit a package. Nobody is pretending otherwise. What three days is enough for is someone else to notice. Most malicious releases that end up on a public registry get pulled quickly once security researchers, downstream maintainers, or the registry's own scanners spot the pattern. The typosquats, the hijacked accounts, the crypto miners buried in a postinstall script: they all rely on being pulled into build automation before the pattern is visible. Dependabot's old default was to be that automation. Its new default is to let the pattern show up first. You can read this change as GitHub quietly admitting that "always up to date" was the wrong marketing promise for a supply-chain tool. The knob, and what shifted about it Cooldo

2026-07-15 原文 →