🔥 ryanmcdermott / clean-code-javascript - Clean Code concepts adapted for JavaScript
GitHub热门项目 | Clean Code concepts adapted for JavaScript | Stars: 94,393 | 18 stars today | 语言: JavaScript
找到 1432 篇相关文章
GitHub热门项目 | Clean Code concepts adapted for JavaScript | Stars: 94,393 | 18 stars today | 语言: JavaScript
GitHub热门项目 | Welcome to a calmer internet | Stars: 42,327 | 67 stars today | 语言: JavaScript
GitHub热门项目 | Turn any PDF or image document into structured data for your AI. A powerful, lightweight OCR toolkit that bridges the gap between images/PDFs and LLMs. Supports 100+ languages. | Stars: 78,940 | 148 stars today | 语言: Python
GitHub热门项目 | PentestAgent is an AI agent framework for black-box security testing, supporting bug bounty, red-team, and penetration testing workflows. | Stars: 2,489 | 30 stars today | 语言: Python
GitHub热门项目 | Deep Eye orchestrates multiple AI providers (OpenAI, Claude, Grok, Gemini, OLLAMA, Groq, Mistral, OpenRouter, LiteLLM, LM Studio) for intelligent payload generation, scans targets for 45+ vulnerability types, and produces professional reports with compliance mapping. | Stars: 1,562 | 42 stars today | 语言: Python
GitHub热门项目 | 自动化上传视频到社交媒体:抖音、小红书、视频号、tiktok、youtube、bilibili | Stars: 11,582 | 185 stars today | 语言: Python
GitHub热门项目 | A platform for reproducible world model research and evaluation | Stars: 1,058 | 346 stars today | 语言: Python
Supply chain attacks every other morning Unless you've lived under a rock for the last few months, you probably noticed that software supply chain attacks are getting trendy among threat actor groups. Over the last 12 months, we've seen more of those than ever before, to name only a few of them: tj-actions/changed-files : In March 2025, a popular reusable GitHub application workflow was compromised to dump secrets from CI/CD pipelines. Salesloft Drift : In August 2025, threat actors stole OAuth credentials from the compromised Drift chatbot application. Shai-Hulud : In September and November 2025, a wormed attack propagated through npm packages and collected secrets. The common thread among those incidents is that they all revolved around secrets, one way or another. Some used secrets as an initial access vector, and others were focused on collecting secrets from victim environments. March 2026 did not change the state of things, with two new severe attacks added to our dreadful collection: trivy-action & LiteLLM campaign by Team PCP. The most popular Axios package compromise. Both those attacks followed a now-classical pattern, spreading through compromised open-source dependencies to maximise the impact in the shortest possible time. Your all-time classic, now with added internal threats Open-source supply chain attacks are not new. Ever since we started using centralized open-source package registries, the risk has existed. Threat actors understood this and started exploiting it. What has changed since 2015 is how we have improved software development productivity through automation. And now, this very same automation that lets you test and build your projects without typing a single command is amplifying the supply-chain threat and the velocity of attacks. Let's see how. Keeping your malware up to date A very concerning pattern we've observed in the trivy-action and Axios campaigns is that automation can become the source of your compromise. One thing no develop
If you have ever run a Lighthouse audit on a content-heavy WordPress site, you know the usual verdict: "Serve images in next-gen formats." Translation: your JPEGs and PNGs are too heavy, and WebP would cut them down a lot. The problem is that nobody wants to convert images by hand, and most automated options either run as a bulk job you have to remember to trigger, or push your images to a cloud service with a monthly quota. I wanted something simpler: upload an image, get a WebP, done. So I built a free plugin called Pixellize Image Optimizer , and this post walks through the problem, how the plugin solves it, and how it works under the hood. Why WebP is worth it WebP files are usually 25 to 35 percent smaller than the equivalent JPG or PNG at the same visual quality. On an image-heavy page that is a real difference: Faster Largest Contentful Paint, which is one of the Core Web Vitals Google uses for ranking. Less bandwidth, which matters if you pay for CDN traffic. No visible quality loss at sensible quality settings. Browser support is no longer a concern. Every current browser handles WebP. The approach: convert on your own server, on upload Instead of a cloud API, the plugin converts images locally with the PHP GD or Imagick extension (almost every host has one). There is no account, no API key, and no paid tier. The core flow: You upload an image to the Media Library as usual. The plugin generates a WebP version of the full image and every thumbnail size. Your front end serves the WebP automatically. How it works under the hood For WordPress developers, here is the interesting part. The plugin hooks into the standard upload and rendering pipeline rather than fighting it: On upload, it taps into the attachment metadata generation so it can convert the full image and every registered sub-size, not just the original. That matters because responsive images use srcset , and a half-converted set defeats the purpose. On the front end, it rewrites image URLs to the We
OpenTelemetry has quietly become table stakes. That's a good thing, but if you've instrumented a real codebase, you know the tax. A method that does one obvious thing slowly fills up with StartActivity , SetTag , AddEvent , SetStatus . The bookkeeping of telemetry starts to drown out the intent of the code, and in review you spend half your time mentally separating "what this code does" from "what we report about what it does." It's easy to think "oh, but the framework takes care of this with auto-instrumentation", but if you talk to the experts in OTel, they'll go to great lengths to explain that auto-instrumentation is a floor, not a ceiling. Most of the value in telemetry comes from the custom instrumentation you add to your code that adds business context to your traces. And that custom instrumentation is the stuff that clutters up your code. Here's the kind of thing I mean: // before - ugly, obtuse, who put that there var orderId = order . Id ; Activity . Current ?. SetTag ( "orderId" , orderId ); Sidemark is my answer to that code-obfuscation problem: non-invasive instrumentation via what I'm calling Active Comments . // after - glorious, beautiful, basking in the light of the sun, closer to god, happy, satiated var orderId = order . Id ; //? The idea A small set of comment syntaxes - //? , //! , //?! - become ride-along annotations . They travel next to the code, get read at build time, and turn into the equivalent Activity calls in the compiled output. The code you read stays the code that does the work. The telemetry rides along instead of competing with your logic for attention. The framing is loosely inspired by Wallaby.js's Live Annotations , which project runtime values inline next to the code that produced them. Sidemark takes the same instinct in the other direction: comments as a write surface for instrumentation, rather than a read surface for debug values. Comments are an under-used channel for information about code that isn't itself code - and su
A lot of Linux incident response starts with a login question, not a malware sample. Someone sees a spike of failed SSH attempts. A root login appears in the wrong time window. A service account logs in from an address nobody recognizes. A helpdesk ticket says "the server looks weird" and the only concrete clue is a username or IP address. At that point, the useful question is not "is this host compromised?" It is more boring and more important: Did anyone actually authenticate? Which account was involved? Was it password, key, sudo, su, or a scheduled task? Was the same IP seen in web logs, current sockets, process context, or command history? Did persistence, services, packages, or recent files change near the same time? Can another responder review exactly what evidence was collected? That last point matters. If you let an AI assistant freely run shell commands during the first pass, you can get speed, but you also create a new risk: the model may over-collect, mutate the host, or produce a confident answer that nobody can audit later. For a login anomaly, I prefer a read-only evidence loop. A practical first pass Start with the narrow clue if you have one. If the alert names a user: oi login --user root -s 7d If the alert names an IP address: oi login --ip 203.0.113.44 -s 7d If the alert is vague, start wider: oi login -s 7d oi scan -s 7d The goal of the first pass is not to prove every detail. The goal is to build a timeline that a human responder can challenge. For a suspicious SSH login, I want the initial report to answer five things. 1. Authentication pattern Look for the difference between noise and access. A server can receive thousands of failed SSH attempts from the internet. That is useful background, but it is not the same as a successful session. The first split should be: failed attempts only successful login after many failures accepted key from an unusual source login by an account that normally should not be interactive root login where root SSH
I had a screenshot to send. Nothing secret — a stack trace from a side project — but it had an internal hostname, a file path with my username, and a chunk of a config file in the terminal behind it. The fast move is to drag it onto a free image host and paste the link. I sat there with my cursor over the upload button and couldn't do it. Because I know what happens next. That image lives on someone else's infrastructure, indefinitely, behind a URL I don't control, and I have no idea who else can reach it. For a throwaway screenshot, that's a permanent record I never agreed to. So I closed the tab and built a thing instead. It's called tmpdrop , and it's ~500 lines of Node. The threat model The problem with public file hosts isn't that they're evil. It's the gap between what you intend ("share this once, with one person") and what the platform delivers ("store this forever, serve it to anyone who finds the link"). A few specific things go wrong: Retention. "Temporary" hosts keep your files long after you've forgotten them. There's no expiry you can trust, and deletion is usually best-effort. Predictable URLs. Plenty of hosts use sequential or short IDs. Scrapers walk the keyspace and hoover up everything. Your "private" link was never private. Stored XSS via uploads. If a host serves an uploaded .html or .svg file inline with a permissive content type, an attacker can ship JavaScript that runs in your browser, in the host's origin. Your file host becomes an XSS delivery service. Abuse vectors. No rate limit means the box is a free CDN for whatever someone wants to dump on it — malware, spam payloads, the works. So the design goal wasn't "another uploader." It was: close each of those gaps, then stop. What I built tmpdrop is a single Fastify server backed by SQLite. The whole defensive surface is small enough to hold in your head: Unguessable URLs. Slugs are 9 random bytes, base64url-encoded — 72 bits of entropy. You cannot enumerate them. A TTL reaper. Every upload
MikuMikuDance still lives mostly on the desktop: PMX models, VMD motion, skirt physics, camera work. We built AnimaStage Lite — an open-source browser studio so you can load assets, preview motion, add FX, and export vertical Shorts without installing MMD. 🔗 Repository: https://github.com/FBNonaMe/animastage-lite 🌐 Live demo: https://animastage-lite.app/ 🎬 Open the studio: https://animastage-lite.app/app Why the browser? Short-form creators need: 9:16 framing and 1080×1920 export Fast PMX + VMD iteration Stable WebGL on everyday laptops AnimaStage Lite is not a full MMD clone — it’s a focused stage : load, animate, light, record. Stack Layer Tech UI React 19 + TypeScript 3D Three.js + React Three Fiber Build Vite 6 Physics Bullet (Ammo.js) HQ video WebCodecs + mp4-muxer Live video MediaRecorder All core features run client-side . What it does Drag & drop PMX/PMD, VMD, textures, HDR Timeline + dopesheet + Bézier curves + VMD export Bullet physics — skirt, hair, accessories RTX Lite — bloom, DOF, weather, style presets MP4 HQ (frame-by-frame) and Live recording Clean capture — no gizmos in the final video 9:16 Lite — lighter render path to reduce WebGL context loss Optional: MediaPipe mocap, Gemini AI keys, Local/WebRTC collab. Try it Online: https://animastage-lite.app/app — drop your PMX + VMD. Locally: bash git clone https://github.com/FBNonaMe/animastage-lite.git cd animastage-lite npm install npm run dev https://animastage-lite.app/ — landing http://localhost:3000/app — studio (local) Optional AI: copy .env.example → .env and set VITE_GEMINI_API_KEY. Open source Star ⭐ the repo, open issues, send PRs: https://github.com/FBNonaMe/animastage-lite MMD models are not bundled — use only content you have rights to publish. What would you use this for — Shorts, VTuber previews, or learning Three.js? Comments welcome. ---
You know that feeling when you join a new project or want to contribute to an open-source repo, and you spend the first two days just trying to figure out where everything is? I did. Every single time. Clone the repo. Open the files. Stare at 47 folders. Wonder which one actually matters. Grep for the entry point. Follow imports down a rabbit hole. Give up and ask someone. That's not learning. That's just wasted time. So I built CodeAutopsy. What it does Paste any GitHub URL. That's it. CodeAutopsy clones the repo, parses every file into an AST (Abstract Syntax Tree), traces every import and dependency, and gives you: An interactive dependency graph showing exactly what imports what The entry points — where execution actually starts A blast radius map — click any file and instantly see everything that breaks if you change it An AI-generated architectural summary explaining what the codebase does, how it's structured, and how to get started Live Health Telemetry: An Edge API that generates a live SVG health badge (A to F grade). Drop the markdown in your README once. Every time you refactor and re-scan, your badge updates everywhere instantly. My own CodeAutopsy repo just hit 99/100. Drop the markdown snippet once and forget about it. What used to take days now takes about 10 seconds. The real problem it solves Every developer has been here: You're onboarding at a new job. The codebase has 200 files. Your tech lead says "just read the code." You spend a week feeling lost. You want to contribute to an open-source project. The repo has no architecture docs. You don't know where to start. You're doing a code review on a PR that touches 15 files. You have no idea what the blast radius of those changes is. CodeAutopsy solves all three. The interesting engineering problems The hardest part wasn't the AST parsing — it was keeping it serverless without hitting Vercel's 504 timeout limits, while making the AI analysis feel instant. The Serverless Timeout Hack: Doing AST extra
Most scraping projects start by finding a website to scrape. This one started from the opposite direction: I knew the data existed as official government downloads, and my job was to make it accessible via a clean API. The data source Ofsted (the UK school inspections body) publishes monthly management information as CSV files on GOV.UK. The file covers all 22,000+ state-funded schools in England with their latest inspection grades, local authority, postcode, phase, and size data. It's 16 MB, published under the Open Government Licence v3.0 — explicitly permitting commercial use. No scraping needed. No authentication. Just a CSV download and some parsing logic. The architecture The actor is deliberately simple: Fetch the GOV.UK stats page to find the current month's CSV URL (the URL hash changes with each release) Download the CSV (~16 MB from assets.publishing.service.gov.uk ) Parse it with csv-parse Apply the user's filters (name, local authority, region, postcode prefix) Push matching records to the Apify dataset No Crawlee. No browser. No proxy. Just fetch() and a CSV parser. const match = html . match ( /href=" ( https: \/\/ assets \. publishing \. service \. gov \. uk \/[^ " ] +latest_inspections_as_at [^ " ] + \. csv ) "/ ); That one regex does the URL discovery. The GOV.UK page lists files in reverse chronological order, so the first match is always the latest release. The interesting part: Ofsted changed their grading system mid-build I built this in May 2026. In November 2025, Ofsted scrapped their 20-year-old four-word judgement system (Outstanding / Good / Requires Improvement / Inadequate) and replaced it with a report card format — six separate grade areas, each on a five-point scale: Exceptional Strong Expected standard Needs attention Urgent improvement Plus a standalone Safeguarding verdict (Met / Not met). The April 2026 CSV reflects this change entirely. There's no "Overall effectiveness" column. Schools inspected before November 2025 have null gr
How vibecoding is destroying the open source that feeds it March 3, 2026 The snake eating its own tail A year ago, vibecoding was a curiosity. Today, it’s an industry. Millions of developers — or rather prompters — generate entire applications by describing what they want to an LLM. In minutes, an API, a frontend, a deployment. Magical. But behind this magic lies a dirty secret that nobody wants to face: every line of code generated by these AIs was trained on millions of open source projects — projects that are now dying. Vibecoding would be nothing without open source. And it’s killing it. What exactly is vibecoding? For those who spent 2025 in a cave: vibecoding is the practice of creating software in natural language, relying on generative AI models (Claude, GPT-5, Gemini, and the dozens of specialized models that have emerged since). You describe a vibe , an intention, and the AI produces the code. No debugging. No reading documentation. No Stack Overflow. And above all — here’s the crux — no contributing back . The implicit pact of open source is broken The open source ecosystem has always rested on a tacit social contract: I publish my code for free. In return, others use it, find bugs, suggest improvements, contribute. The project lives because a community keeps it alive. This contract had already been severely tested by large corporations that consume open source without contributing proportionally. But at least the developers who used these libraries understood them. They opened issues. They forked. They sent pull requests. They wrote blog posts that spread the word about the project. Vibecoding has blown up this cycle. The vibecoder doesn’t know which library they’re using. They don’t know, and they don’t care. They asked “build me a payment API with webhook handling,” and the AI chose this or that dependency for them. They will never read that project’s README. They will never open an issue. They won’t even know that project exists . The chilling numbers
OpenSparrow v2.6 is out. This one's a big step forward — RAG (Retrieval-Augmented Generation) integration, bulk grid operations, and a whole new UX layer. RAG & AI integration You can now upload documents and let users ask questions against them. The system retrieves relevant sections and generates answers using an LLM (supports Ollama locally or any OpenAI-compatible API). What's new: RAG Statistics tab in admin — tracks query tokens, response times, document matches, and recent queries Multilingual auto-response — user questions are answered in their own UI language, no schema changes needed 20-language support — "Ask AI" panel fully translated, plus language dropdown in the test interface Good for things like: knowledge base Q&A, customer support automation, or letting internal teams ask questions about their own data. Grid & bulk operations Mass Edit module — select rows via checkboxes, bulk edit fields, change owners, duplicate, or delete with one click Keyboard shortcuts — arrow keys to navigate, Tab, Ctrl+C to copy, Ctrl+F to search, Ctrl-hold for help modal — works across all 20 languages Quick Data Cleanup toolbar — find & replace with live preview, case sensitivity, accent-ignore. Editor-gated with audit trail. Admin improvements Renamed "RAG Knowledge Base" to "Centrum AI" (heading is translatable) Migration Manager — tracks pending cleanup tasks after version upgrades, with automatic backups and audit trail FK columns render as dropdowns in forms by default Security & Quality All bulk operations (mass edit, cleanup, delete) are editor-role gated CSRF protection on every operation Full audit trail — every change is logged 20 languages fully supported across all new modules Fixed regressions in RAG API and CSV import Following this series? OpenSparrow v2.3 – visual admin panel, zero dependencies, now with ERD and M2M support OpenSparrow – open-source admin panel builder, zero dependencies, v2.1 just dropped Websites opensparrow.org github.com/wrobeltomasz/
I got tired of explaining to people why their "simple weather widget" needed an API key, a signup form, and a credit card. So I built a weather API that doesn't need any of that. Here's how you can add live weather to your personal website, portfolio, or side project in about 60 seconds. The old way (painful) Most weather APIs make you: Create an account Verify your email Generate an API key Paste that key into your code Worry about rate limits Get an email when your "free tier" expires For a weather widget on a personal site? That's overkill. The Nimbus way (one fetch, done) I made a public API that doesn't need keys. Just call it. fetch ( ' https://nimbus-api-gxuc.onrender.com/api/v1/weather?city=Berlin ' ) . then ( response => response . json ()) . then ( data => { console . log ( data ); }); That's it. No headers. No tokens. No signup. Real example: Put it on your site Here's a working snippet you can drop into any HTML page right now: <div id= "weather-widget" > <p> Loading weather... </p> </div> <script> fetch ( ' https://nimbus-api-gxuc.onrender.com/api/v1/weather?city=Berlin ' ) . then ( res => res . json ()) . then ( data => { const weatherHtml = data . temp_celsius + ' °C • ' + data . description + ' <br>Wind: ' + data . wind_speed_kmh + ' km/h • Humidity: ' + data . humidity_percent + ' % ' ; document . getElementById ( ' weather-widget ' ). innerHTML = ' <strong> ' + data . location + ' </strong><br> ' + weatherHtml ; }) . catch ( function () { document . getElementById ( ' weather-widget ' ). innerHTML = ' <p>Weather not available right now</p> ' ; }); </script> Change Berlin to any city. It works. Why did I build this? Because I got tired of closed source APIs that change their pricing every 6 months. Nimbus is open source. The code is on GitHub. You can read it, fork it, or run your own version if you don't trust me. The API is free because hosting a weather endpoint costs me almost nothing, and I'd rather lose money than put up a paywall. Try it righ
GitHub热门项目 | A simple, decentralized mesh VPN with WireGuard support. | Stars: 11,608 | 173 stars this week | 语言: Rust
GitHub热门项目 | ⚡A CLI tool for code structural search, lint and rewriting. Written in Rust | Stars: 14,208 | 205 stars this week | 语言: Rust