今日已更新 80 条资讯 | 累计 20052 条内容
关于我们

标签:#dev

找到 2527 篇相关文章

AI 资讯

GitHub's AI agent can be tricked into leaking private repos via a public Issue

GitHub recently launched Agentic Workflows — GitHub Actions combined with an AI agent backed by Claude or GitHub Copilot, writing workflows in plain Markdown. Noma Labs' first question after launch was the obvious one: what happens when the agent reads something it shouldn't trust? The answer: it leaks private repository contents as a public comment. No credentials, no exploit code, no inside access required. "The agent's context window is also its attack surface. Any content the agent reads — whether issues, pull requests, comments, or files — can be weaponized if the agent treats that content as instructional input." What actually happened Noma's researchers crafted a GitHub Issue that looked like a plausible VP Sales request — a normal-looking feature ask with hidden instructions embedded in the body. When GitHub's automation assigned the issue, it triggered an Agentic Workflow configured to: Trigger on issues.assigned events Read the issue title and body Post a comment using the add-comment tool Run with read access to other repositories in the organisation — including private ones The hidden instructions told the agent to fetch README.md from repos across the org and post the contents as a comment on the public issue. It did exactly that, including the contents of testlocal — a private repository. The proof-of-concept is live: the workflow run and the issue are public. The guardrail bypass GitHub had defences in place to prevent this. They didn't hold. Noma found that adding the word "Additionally" to the injected instructions caused the model to reframe its output rather than refuse — bypassing the guardrails entirely. A single keyword was enough to undo the intended safety behaviour. This is what makes prompt injection particularly uncomfortable: guardrails tuned against known attack patterns can be bypassed by anyone willing to iterate on the phrasing. The attacker's loop is cheap; the defender's loop is not. The bigger pattern Noma names this explicitly: pr

2026-07-15 原文 →
AI 资讯

Coding agents can write your integration. They can't run it.

Digibee opens with a clear disclaimer: every team there uses Claude Code. This isn't a take from people who skipped the AI tooling revolution. It's an observation from people who shipped with it and ran into the same wall, repeatedly. That wall is enterprise integration. "Enterprise integration isn't a greenfield challenge. It's a completely different category of work, with completely different failure modes that coding agents weren't designed for." What coding agents are actually good at here They're useful for integration work under a narrow set of conditions: well-documented APIs, one-time tasks, low stakes, nothing in production at risk. A quick script to pull from a public endpoint? Great. A throwaway ETL job? Perfect. The problems start the moment an integration needs to be recurring, reliable, auditable, and maintained by someone other than the person who prompted it. The three structural gaps 1. They start from scratch every time. Pre-built connectors for enterprise systems like SAP, Salesforce, or NetSuite encode years of accumulated knowledge — how sequencing works, how idempotency is handled, where the quirks are. A coding agent reasons through all of that fresh on every run. It also suffers from the "lost in the middle" effect: when documentation gets long, LLMs drop content from the middle of their context window and fall back on training data. The more obscure the API, the more likely the generated code quietly fails under real load — not on deployment, but six months later when the CIO notices corrupted records. 2. They produce code, not infrastructure. Integrations need retry logic, failure recovery, credential management, audit trails, monitoring, and alerting. Coding agents produce none of that. You can prompt your way around it piecemeal — but now you're maintaining the integration and five hand-rolled infrastructure components. An agent optimised to iterate fast isn't optimised to fail safely. In production, a bad write means unprocessed payments

2026-07-15 原文 →
AI 资讯

Fable 5 Just Shipped: What Anthropic's Newest Model Means for Developers

On June 9, 2026, Anthropic shipped Claude Fable 5, a model in a new tier that sits above Opus. I have been building on the Claude API for over a year, and this is the first release that made me stop and re-read my whole prompt stack before touching the model string. Here is what actually changed and what it means if you ship software. The short version Fable 5 is the public release of the Mythos line, the family that earlier in the year unsettled the security world with how well it found and exploited vulnerabilities. The version you and I get is the same underlying model with safeguards bolted on. Anthropic calls the safe one Fable and the unrestricted one Mythos, and only a small group of cyberdefenders gets Mythos. The numbers, for context: 1M token context window, 128K max output, knowledge cutoff January 2026. Priced at $10 per million input tokens and $50 per million output. That is double Opus 4.8 ($5 / $25). State of the art on nearly every benchmark they tested: 95% SWE-bench Verified, 80% SWE-bench Pro. Adaptive thinking is always on. There is no "disabled" mode. That last point matters more than the benchmarks. You do not tune a thinking budget anymore. The model decides. The pricing reframes the decision At $10/$50, Fable 5 is not your default model. It is your "this task is hard and getting it wrong is expensive" model. Opus 4.8 at $5/$25 remains the workhorse for most application traffic, and Haiku 4.5 at $1/$5 still wins on classification and routing. The way I think about it now is a three-tier ladder: Haiku 4.5 → routing, classification, cheap extraction Opus 4.8 → default for app traffic, agentic loops, coding Fable 5 → long-horizon agentic work where correctness pays for itself The "longer and more complex the task, the larger Fable's lead" framing from the announcement is the actual buying signal. A one-shot summarization does not justify 2x the cost. A multi-hour autonomous refactor that would otherwise need human correction might. The API surfa

2026-07-15 原文 →
AI 资讯

My Commit Message Generator Kept Signing Its Own Work. Telling It Not To Wasn't the Fix.

I have a script called git_commit.py in one of my repos. It shells out to claude -p with the staged diff, gets back a Conventional Commit message, and prints it. It's wired into a prepare-commit-msg git hook so every commit gets a pre-filled message for free. Small, dumb, useful. The first version had one instruction in the system prompt: "Output ONLY the commit message — no explanation, no markdown, no quotes." That's it. It worked fine for a while, and then one day a commit landed with a trailing Co-Authored-By: Claude <noreply@anthropic.com> line that I never asked for and definitely didn't want on a personal repo's history. I did the obvious thing first: I made the prompt more specific. SYSTEM = ( " You are a git commit message generator. " " Output ONLY the commit message — one line, no explanation, no markdown, no quotes, " " no co-author lines, no signatures, no AI references. " " Follow Conventional Commits: type(scope): subject. " " Types: feat, fix, docs, style, refactor, test, chore. " " Subject: imperative, lowercase, max 72 chars. " ) This is the same move I see everywhere: the CLAUDE.md file in that same repo has a line that says, in bold, "NEVER add Co-Authored-By: or any Claude/AI reference to commit messages." I've seen the same pattern in a dozen other people's prompt files — a growing list of "never do X" instructions bolted onto a system prompt, each one added reactively after X happened once. It helped. It did not solve it. A model call is a sample from a distribution, not a function with a guaranteed return type. Any single generation can still ignore an instruction — a longer diff, a different day, a subtly different phrasing of the request, and the same "never" line just doesn't fire. I don't actually know the mechanism on any given miss and I don't need to. The point is: a natural-language instruction is advisory. It shifts probability mass, it doesn't clamp it. I ran into an article on dev.to making a point that reframed this for me: the al

2026-07-15 原文 →
AI 资讯

The Everything-on-Your-Branch Architecture

Database branching is one of the best ideas serverless Postgres brought to the mainstream. Fork the database at a point in time, get an isolated copy with all the data, run something risky against it, throw it away. It made preview databases and safe migrations feel routine. But a real application is not just a database. It is a database, plus the files it stores in object storage, plus the backend code that serves it, plus, increasingly, the model and gateway config it calls for AI. When you branch only the database, those other three stay shared. Your "branch" points at the same S3 bucket, the same deployed backend, and the same AI configuration as everything else. So it is half a copy, and the half it leaves out is where a lot of the interesting bugs and the scary migrations live. Neon's platform preview changes what a branch contains. A branch now forks the database and its data, the object storage and its files, the functions that run your backend, and the AI gateway config, all at the same point in time, all isolated. A branch stops being a database copy and becomes a whole environment. To make sure that is a real claim and not a diagram, I took a full-stack project, branched it, and checked every layer. Here is what happened. TL;DR Elsewhere, "branch" means the database only. Object storage, backend deploys, and AI config stay shared, so you bolt on scripts to fake per-branch versions of them. A Neon branch forks all four together: Postgres + data, object storage + files, functions (each branch gets its own URL), and the AI gateway. I proved it: branched a project with a DB, a bucket of files, a function, and the gateway. The branch came up with a copy of the rows, a copy of the files on its own storage endpoint, its own function URL, and the gateway. A write to the branch left main untouched, and deleting the branch removed all of it. That makes a branch a real environment: true preview stacks, whole-state bug reproduction, and disposable sandboxes for agent

2026-07-15 原文 →
AI 资讯

The Biggest Misconception About React Reconciliation (Render vs. Paint)

Hey everyone, I recently had an "aha!" moment regarding how React handles updates under the hood, and I wanted to share it because I realize a ton of developers (including myself, until recently) trip over this exact concept. The common mental model is that React Reconciliation compares the Virtual DOM directly to the Real Browser DOM and surgically updates only what changed. But that’s fundamentally incorrect. React never reads or directly compares the real DOM during the diffing process. It actually splits the process into two entirely separate phases —The Render Phase and The Commit Phase —which creates a massive distinction between Re-rendering and Re-painting. Here is the exact breakdown of what happens when a single state change affects just 1 out of 100 divs in a component: The Render Phase (Pure JavaScript) When state changes, React calls your component function. It doesn't know which of your 100 divs changed yet, so it has to evaluate the entire JSX block. The Scope: React re-renders all 100 virtual divs in memory. The Process: It builds a brand-new Virtual DOM tree and compares it to the previous Virtual DOM tree (JavaScript object vs. JavaScript object). The Outcome: It spots that 99divs are identical, but 1 div has an update. It flags that single virtual node with an "Update" tag. Because this happens purely in-memory as JavaScript, it is incredibly fast and cheap. The Commit Phase (The Real DOM Update) This is where Reconciliation does its primary job. It acts as a shield to protect the browser from doing unnecessary work. The Scope: React completely ignores the 99 unchanged elements. The Process: It surgically targets the single real browser div associated with the flagged Virtual DOM element and updates only its modified property (e.g., element.textContent = "New Value"). The Outcome: The browser repaints only 1 single div on the screen. The Conclusion: Reconciliation isn't about stopping React from re-rendering (re-running JS to calculate the UI). It

2026-07-15 原文 →
AI 资讯

Why I Prefer Browser-Local Image Resizing for Small Files

When a form asks for an image under 100KB, the obvious reaction is to search for an online compressor and upload the file. That works, but it also adds an unnecessary privacy decision: does this image need to leave the device at all? A simpler workflow For ID photos, screenshots, receipts, and other personal images, I prefer tools that do the work locally in the browser. The browser reads the file, resizes or recompresses it, and gives the result back without sending the original to a remote server. My practical process is: Start with the original JPG, PNG, or WebP. Set the required maximum size rather than guessing a quality percentage. Keep the aspect ratio unless the destination specifies exact dimensions. Preview the result at normal size, especially around text and faces. Save the new file under a different name so the original remains untouched. Why target size matters A generic “compress” button may produce a smaller file, but not necessarily one that meets a strict upload limit. A target-size workflow is more useful because it can adjust dimensions and quality together. For many document portals, a visually clean 80–95KB result is safer than a 99.9KB result that may fail after metadata is added. PNG is excellent for flat graphics and screenshots, while JPG is often better for photos. WebP can be efficient, but some older upload forms still accept only JPG or PNG. The destination's rules should decide the output format. The tool I use I built Resize Image around this browser-local approach. It is useful when I need a quick image under a specific size and do not want the original uploaded as part of the resizing process. The link is included for context and disclosure: I am the maker. Local processing does not remove every privacy concern—you should still review the downloaded result and the site where you eventually upload it—but it reduces one unnecessary transfer. The larger lesson is simple: for lightweight image work, the browser is already capable enough

2026-07-15 原文 →
AI 资讯

The SSE Fragmentation Catastrophe That Took Down CareerPilot AI (Smash Stories)

This is a submission for DEV's Summer Bug Smash: Smash Stories powered by Sentry . It was 11:14 PM. My friend DM'd me on Twitter: "Your app just hung for 30 seconds, spun indefinitely, and then completely died." I opened the browser DevTools console pointed at production and saw it — the screen flooded in red: GET https://careerpilot-ai.run.app/api/analyze-career net::ERR_INCOMPLETE_CHUNKED_ENCODING 200 (OK) The Server-Sent Events stream powering CareerPilot AI was systematically collapsing on Google Cloud Run. And I had no idea why. Locally on localhost:3000 , the agentic pipeline was a masterpiece. The multi-stage reasoning logs streamed gracefully — Step 1 flowed into Step 6, the final structured JSON payload arrived within seconds, the UI lit up with a complete personalized career roadmap. Beautiful. But once deployed behind Google's Front End (GFE) proxy, the pipeline was a graveyard of broken sockets. The Architecture Under Fire CareerPilot AI runs a six-stage agentic pipeline on every career analysis request. Instead of firing a single long-running prompt to Gemini and making the user stare at a blank screen for 20+ seconds, we designed a Server-Sent Events logging stream to broadcast real-time reasoning steps directly to the browser — giving the interface the feel of a live, active mentor thinking out loud. Once the final stage (Self-Evaluation & Constraint Validation) completed, the backend constructed a massive, nested 15KB JSON payload containing the personalized roadmap: skill weightings, role benchmarks, resource links, and a 30-day milestone calendar. Here was the delivery mechanism — and the landmine hiding inside it: // server.ts — The vulnerable streaming channel app . get ( " /api/analyze-career " , async ( req , res ) => { res . setHeader ( " Content-Type " , " text/event-stream " ); res . setHeader ( " Cache-Control " , " no-cache " ); res . setHeader ( " Connection " , " keep-alive " ); // Stream intermediate reasoning logs per step for ( let st

2026-07-15 原文 →
AI 资讯

Every Third-Party iOS Keyboard Is a Graveyard. So I Built a Voice Keyboard From Scratch in C++.

If you've searched the App Store for a reliable third-party QWERTY keyboard on iOS, you know how that ends. Some are abandoned. Some are ad-riddled. Some feel like they were ported from Android and never touched again. The good ones are the ones that don't ship features so much as they don't crash. The system keyboard is fine. It's fine because Apple has been iterating on it for fifteen years. Nobody else has. Third-party keyboards on iOS are a graveyard. I'm building one that isn't. It's called Diction. Most people know it as a voice keyboard, and that's what I lead with, but under the hood it's a serious low-level QWERTY project too. This post is about that half of it, because that's the half nobody talks about. Why third-party QWERTY on iOS is a graveyard Building a good keyboard extension on iOS is hard. There's a strict memory ceiling. There's a permission dance the user has to opt into. There's no keychain access, no meaningful background work, and the extension can be killed the moment iOS decides it needs the RAM. Most keyboard makers ship a first version to check the box, then abandon it once they see how much work maintaining it takes. The result is what you see on the App Store today. Every third-party keyboard I've tried on iOS fails on at least one of these: Speed. You type a letter, the letter arrives. That's it. If there's a hitch you can feel, the keyboard is broken. Half the ones I've tried have a visible delay on every keystroke. Predictability. If you correct the same word back three times, that word should be yours. The keyboard should stop fighting you. Most never do. You fight the same wrong correction for a year. Recovery. iOS keyboard extensions are memory-constrained. Bad ones freeze under pressure. When you rapid-switch between apps, half the third-party keyboards on the store will lock up until you kill and reopen the host app. Autocorrect that isn't from 2014. Fix the obvious typos. Split words that ran together. Complete contractions. Ge

2026-07-15 原文 →
AI 资讯

The Best Test Automation Tool Is the One Your Team Still Uses a Year Later

Most test automation tools look good during a demo. You record a login flow, add an assertion, run it in Chrome, and get a green result. Everyone is impressed. Then the real application gets involved. There are dynamic elements, delayed API responses, test accounts, verification emails, downloaded files, several deployment environments, and a checkout flow that behaves differently on Safari. A few months later, the original test suite has grown from 10 tests to 300. Some failures are product bugs. Others are test problems. A few only happen in CI. Nobody is completely sure which is which. That is when you discover whether you selected a test automation tool or merely a good demo. Creating tests is rarely the main problem When teams compare automation tools, they often begin with questions such as: How quickly can we record a test? Can AI generate the steps? Does it support plain-English instructions? Can a manual tester use it? Does it integrate with our CI pipeline? These are reasonable questions, but they mostly describe the beginning of an automation project. The harder questions appear later: Who updates the tests after a redesign? How do we investigate failures? Can another person understand a test created six months ago? What happens when the original automation engineer leaves? Can we test workflows that involve email, APIs, files, or mobile devices? How much infrastructure do we have to manage? Does the cost increase every time we run the regression suite? The first test tells you whether the tool works. The hundredth test tells you whether the approach works. Maintenance should be part of the evaluation A stable automated test is not a test that never changes. Applications are supposed to change. Buttons move. Components are replaced. Authentication flows evolve. APIs return different data. Product teams redesign entire sections of the interface. The objective is not to prevent tests from changing. It is to make those changes inexpensive and understandable.

2026-07-15 原文 →
开发者

You Don't Need Node.js to Learn Web Development

I see this every week. Someone decides to learn web development. They Google "how to start web development" and within 20 minutes they're installing Node.js, npm, VS Code, and five extensions they don't understand. They haven't written a single line of code yet. But they've already spent an hour configuring their "environment." Then they get stuck. Node version conflicts. npm permission errors. VS Code extensions that break their syntax highlighting. They think they're not smart enough for programming. They are. They just started with the wrong step. The Problem Learning web development has three core technologies: HTML, CSS, and JavaScript. That's it. Everything else — Node.js, npm, webpack, Vite, React — is extra. It's not the starting point. But most tutorials assume you already have Node.js installed. They say "open your terminal" and "run npm install." Beginners follow along, copy the commands, and have no idea what any of it means. Here's what actually happens: You install Node.js (200MB+) You install VS Code (another 300MB+) You install 5-10 extensions You create a project folder You open terminal and run npm init -y You run npm install live-server You run npx live-server You finally see your HTML page in a browser That's 8 steps before you write Hello World . The Solution You don't need any of that. Not yet. Here's what you actually need to learn HTML, CSS, and JavaScript: A browser (you already have one) A text editor (Notepad works) That's it Open Notepad. Write this: <!DOCTYPE html> <html> <head> <title> My First Page </title> </head> <body> <h1> Hello, World! </h1> <p> This is my first web page. </p> </body> </html> Save it as index.html. Double-click the file. It opens in your browser. You just built your first web page. No terminal. No npm. No Node.js. No configuration. When Should You Actually Learn Node.js? Node.js becomes useful when you need: Server-side code (backend development) Package management (npm packages) Build tools (webpack, Vite) Framew

2026-07-15 原文 →
AI 资讯

Hetzner was cheaper at every size I tested and I still chose managed Postgres

Twelve pricing tabs open. Neon, Hetzner, Supabase, Prisma, Scaleway, OVH. My database is half a gigabyte. I was comparing ten-terabyte price curves. At some point this week I typed the words "I am super lost here" about my own infrastructure. I advise companies on this exact class of decision. That sentence still came out of my hands. If you have ever spent an evening deep in provider pricing pages for a workload that fits on a USB stick from 2009, this one is for you. All numbers below come from the live pricing pages as of July 2026. Rates move, so verify before you commit. Three fears, all pointed at the wrong layers I went in worried about getting attacked, running out of space, and being locked in. All three dissolved under ten minutes of honest reading. DDoS lands on the website edge, not the database. My site already sits behind Cloudflare and Vercel, and a database is never publicly exposed. Only the app talks to it. Whichever provider I picked, that attack surface stayed identical. Here is the shape of the stack, and where each fear lives. MANAGED (what I run today) visitors ──> Cloudflare edge ──> Vercel app ──> managed Postgres [DDoS absorbed] [stateless] [never public, app-only access, provider patches, provider backups, provider on-call] SELF-HOSTED (the alternative I priced) visitors ──> Cloudflare edge ──> Vercel app ──> Hetzner CAX11 [DDoS absorbed] [stateless] [Postgres :5432 firewalled to app, SSH hardened, fail2ban + auto- patching = MINE] │ pg_dump every 6h ▼ encrypted ────> Cloudflare R2 [off-site copies] Same edge, same app, same attack surface. Everything in the right-hand box is what changes owners. Storage was a rounding error. My data is 0.5 GB. Even the cheapest self-hosted box includes 40 GB, eighty times headroom before the first extra cent. Lock-in was a phantom too. Managed Postgres is still stock Postgres. Exiting means a dump, a restore, and one connection string change in the deployment environment. Minutes of cutover, no rewrite an

2026-07-15 原文 →
AI 资讯

LingoBridge-AI: Simplifying Complex Medical Reports for Rural Patients

Body: ​Hi everyone! 👋 ​I am excited to share my latest project, LingoBridge-AI, which I have been building to solve a critical problem in rural healthcare. ​The Problem 🩺 ​In many rural areas, patients receive medical reports that are complex and filled with technical jargon. Due to this, they often struggle to understand their own health conditions, which leads to confusion and delayed medical care. ​The Solution: LingoBridge-AI 💡 ​I developed LingoBridge-AI, an AI-powered tool designed to: ​Simplify complex medical reports into easy-to-understand language. ​Translate information into local languages to ensure better accessibility for patients. ​Bridge the gap between healthcare providers and patients who have limited medical literacy. ​Tech Stack 🛠️ ​Built using Python and AI frameworks. ​Focuses on accuracy, simplicity, and user-friendly output. ​Check it out! 💻 ​You can view the source code and documentation here: 👉 [ https://github.com/cherukuriLakshmi/LingoBridge-AI ] ​I am still working on improving this, and I would love to get some feedback from this amazing community! If you have any suggestions on how to improve the AI or the user experience, please let me know in the comments below. ​Thanks for your support! ​Tags (Add these at the bottom): ai #healthtech #opensource #python #beginners

2026-07-15 原文 →
AI 资讯

What a Vibe Coding Security Scanner Can (and Cannot) Tell You

AI-assisted builders can take an idea from prompt to production in a weekend. That speed is useful, but it also compresses the part of the process where someone normally reviews deployment settings, browser-visible secrets, authorization boundaries, and recovery plans. A public security scanner is a good first pass for that problem. It is also easy to misunderstand. A clean public scan does not mean an application is secure, and a warning does not always mean a vulnerability is exploitable. The useful question is not “Did the scanner pass my app?” It is “What evidence could this scanner actually observe?” Layer 1: the public deployment surface A passive scanner can request the same resources that a normal visitor can reach. Depending on its scope, it may inspect: HTTP security headers such as Content-Security-Policy and Strict-Transport-Security HTTPS behavior and redirect consistency Public JavaScript bundles for credential-shaped strings Public source maps that expose original source structure Common sensitive paths such as environment files or repository metadata Cookie attributes and other response-level deployment signals These checks are valuable because they test the deployed result, not the configuration you intended to ship. For example, a repository may contain a CSP configuration while the CDN response does not. A source map may be disabled in one build configuration but still appear in production. A key may be stored safely on the server in most code paths while one client bundle accidentally contains a privileged token. The deployed surface is where those mistakes become observable. Layer 2: source-code review A public URL cannot reveal every control behind an application. Source review or SAST can inspect code paths, configuration, data flow, and dangerous implementation patterns that never appear in a normal response. This is where you can answer questions such as: Is authorization enforced on the server? Can a user change an object ID and read anothe

2026-07-15 原文 →
AI 资讯

# Building a Lightweight Product Filter with Vanilla JavaScript

Building a Lightweight Product Filter with Vanilla JavaScript While building a small e-commerce project, I wanted users to filter products instantly without refreshing the page. Instead of relying on a frontend framework, I opted for a simple solution using HTML data attributes, vanilla JavaScript, and a little CSS. The goal was straightforward: let visitors filter items by size while keeping the interface fast, responsive, and easy to maintain. HTML Structure Each product card stores its information in data-* attributes. This keeps the markup clean and makes filtering straightforward. <div class= "filters" > <button class= "filter-btn" data-filter= "all" > All </button> <button class= "filter-btn" data-filter= "small" > S </button> <button class= "filter-btn" data-filter= "medium" > M </button> <button class= "filter-btn" data-filter= "large" > L </button> </div> <div class= "product-grid" > <div class= "product-card" data-size= "medium" data-style= "cargo" > Cargo Shorts </div> <div class= "product-card" data-size= "large" data-style= "chino" > Chino Shorts </div> <!-- More product cards --> </div> Using data attributes means you can add new filter categories later without changing your overall structure. JavaScript Filtering Logic The filtering logic listens for button clicks and simply shows or hides product cards based on the selected size. const filterButtons = document . querySelectorAll ( " .filter-btn " ); const productCards = document . querySelectorAll ( " .product-card " ); filterButtons . forEach (( button ) => { button . addEventListener ( " click " , () => { const filterValue = button . dataset . filter ; productCards . forEach (( card ) => { const cardSize = card . dataset . size ; if ( filterValue === " all " || cardSize === filterValue ) { card . classList . remove ( " hidden " ); } else { card . classList . add ( " hidden " ); } }); filterButtons . forEach (( btn ) => btn . classList . remove ( " active " )); button . classList . add ( " active "

2026-07-15 原文 →
AI 资讯

i've been building platforms first for 25 years. i think it's wrong now.

i've been that person. standing in front of leadership with an 18-month architecture diagram, explaining why we need six months of infrastructure before a user touches a single feature. and it made sense. for 25 years it made sense. writing boilerplate was expensive. every feature came with a tax — database migrations, routing config, auth wiring. build a shared platform first, pay that tax once. the roadmap justified the investment. then i saw a stat that wouldn't leave me alone. roughly 60% of features on a six-month roadmap are obsolete by launch. not slightly off. obsolete. the customer's problem shifted. the market moved. you spent six months building a precise answer to a question nobody asks anymore. the longer you invest before showing something real, the more expensive it is to admit you were wrong. so you don't. you ship the wrong thing and call it "on schedule." i've done it. i've watched it happen. AI didn't create this problem. but agents are making it impossible to ignore. the 82-point gap mckinsey's 2025 survey: 88% of organizations use AI. only 6% see real bottom-line impact. that 82-point gap isn't about tools. everyone has the same tools. but something shifted in their may 2026 report. they describe agents working overnight — enriching requirements, generating code, packaging outputs for morning review. they call it the "24-hour sprint." leading organizations see 3-5x productivity with 60% smaller teams. a product owner logs in at 9am and finds a feature went from requirements to tested code overnight. nobody worked late. agents did. that's not autocomplete. that's a different delivery model. and here's what most teams miss: it only works when the work is small, bounded, and complete. agents need to know where a task starts and ends. horizontal platform architectures don't give them that. the codebase is the prompt jeremy d. miller built wolverine for .NET. in june 2026 he wrote: "the structure of your codebase is now, effectively, part of the prom

2026-07-15 原文 →
开发者

Why Your TypeScript 7 Upgrade Broke ESLint, ts-jest, and ts-morph

You installed TypeScript 7, ran your build, and something broke. Maybe ESLint crashed with a cryptic TypeError: Cannot read properties of undefined (reading 'Cjs') . Maybe ts-jest stopped transforming your test files. Maybe your CI pipeline just went red for no reason you can point to. You're not doing anything wrong. TypeScript 7 shipped tsgo, a genuine Go port of the type-checker, not a rewrite from scratch. But the tools that plug into TypeScript don't talk to the type-checker directly, they talk to a programmatic API. That API isn't stable yet, it lands in 7.1. Until then, a chunk of the ecosystem throws errors the moment you point typescript at the new version. The 10-second version Don't replace typescript in your dependencies with the 7.x line if you use typescript-eslint, ts-jest, ts-morph, or any tool doing programmatic type-checking. Keep typescript pinned to 6.x for those tools, and install @typescript/native-preview alongside it purely for fast type-checking in CI or a manual tsgo --noEmit command. Two compilers, living side by side, each doing a different job. Why this is happening The TypeScript team calls this Project Corsa: a line-by-line port of the compiler from the old JavaScript codebase (Strada) into Go (Corsa), preserving identical type-checking behavior while getting roughly 10x faster builds from real OS threads instead of Node's single-threaded event loop. That preservation is impressive, but it's a port, not a reimplementation with a new API surface. Tools like typescript-eslint depend on the programmatic API to walk your AST and pull type information out of the compiler, and that API isn't ready until 7.1. What's actually broken right now typescript-eslint — npm refuses to install alongside typescript@7 at all (ERESOLVE error), because the published peer range only allows versions below 6.1.0. Force it through and ESLint crashes deep inside typescript-estree . Tracked as typescript-eslint issue #12518, closed as not planned since the real

2026-07-15 原文 →
AI 资讯

i tested an ai incident commander against 15 real outages — 88% pass rate

i've been the incident commander who forgot to write down the first 20 minutes of the timeline because i was too busy reading logs. more than once. the war room is chaos — five engineers pasting logs, someone asking if the deploy from 30 minutes ago is related, nobody documenting anything. you start logging events in a doc while reading error logs while drafting a stakeholder update while deciding whether to rollback. you're the bottleneck. not because you're bad at your job — because you're doing four jobs at once. i got tired of watching smart people spend their incident energy on documentation instead of decisions. so i built ai-incident-commander — a CLI tool that handles the mechanical parts. timeline, updates, remediation research, postmortem draft. you make the calls. it does the paperwork. runs on your laptop with a local LLM. no API keys, no cloud, no docker. github.com/deghosal-2026/ai-incident-commander — MIT licensed. what it does one command: pip install git+https://github.com/deghosal-2026/ai-incident-commander.git incident-commander simulate --scenario db-connection-pool --auto-approve 8 pre-built scenarios ship with it. database connection pool, bad deploy, memory leak, cert expiry — the usual suspects. no real data needed to try it. for actual incidents, you point it at a directory with your alert, logs, messages, and github PRs. it outputs 10 markdown files: timeline, stakeholder updates, comms blocks you can paste straight into slack, remediation suggestions, a blameless postmortem, and a cost report. the safety part was the real engineering. three points in the pipeline where the graph pauses and waits for you to say yes — stakeholder update, remediation, postmortem. the AI never ships anything without approval. every remediation comes with a citation. suggestions below 0.7 confidence get suppressed. the postmortem prompt enforces blameless language. all AI content gets labeled [AI-GENERATED — review carefully] . and it never executes anything. i

2026-07-15 原文 →