AI 资讯
SMS Pumping Is Draining Your 2FA Budget — and Mobile-Originated iMessage 2FA Fixes It
If you send SMS one-time codes, there's a decent chance you're paying scammers to phone-spam themselves on your dime. It even has a name: SMS pumping . And it's not a rounding error — Elon Musk claimed Twitter was losing ~$60M/year to fake 2FA traffic before they killed SMS 2FA for free accounts. Here's how the scam works, why SMS 2FA is structurally expensive, and why flipping the direction — mobile-originated (MO) 2FA , taken to its logical end over iMessage — fixes both the cost and the fraud at once. What is SMS pumping? SMS pumping (also called AIT — Artificially Inflated Traffic , or SMS toll fraud ) is a scheme where bad actors abuse a form that sends SMS one-time codes. They pump thousands of phone numbers — usually premium ranges they secretly control with a telecom — into your "send me a code" endpoint. You pay for every one of those messages. A cut of that termination fee flows back to the fraudsters via the carrier. The "users" never log in. They were never users. The entire point was to make your verification endpoint dial a meter that pays them. The structure that makes this possible is simple: you, the company, send (and pay for) the message. Every code is revenue for someone in the delivery chain — so there's a direct financial incentive to trigger as many as possible. Why SMS 2FA is expensive even without fraud Even with zero abuse, application-to-person ( A2P SMS ) is a bad cost curve: You pay per message. Volume spikes — a launch, a bot attack, an international audience — turn into surprise bills. International is brutal. Cross-border A2P carries steep carrier surcharges that vary wildly by destination. Carrier fees and registration overhead. In the US you're funneled through A2P 10DLC registration, brand vetting, and per-segment fees before you send a single legit code. So your 2FA line item is pay-per-event , unpredictable , and exploitable . Three bad properties for something that's supposed to be boring infrastructure. The Twitter/X case This
AI 资讯
TeamLab 那片會跟著你走的花海,原理拆解 DIY
TeamLab 那片會跟著你走的花海,原理拆解+DIY 先看這張圖 這是 TeamLab 在東京台場的《呼應燈之森林》。當你走過去,附近的燈會慢慢亮起;你離開後,燈又慢慢暗下去,像是真的森林一樣。 還有另一個作品《花與人的共存》,花叢會跟著你移動——你站的地方,花就開在你腳邊;你離開,花就凋謝。 這兩件作品的核心邏輯是一樣的。這篇文章就來拆解它。 原理一:偵測位置 TeamLab 的互動裝置需要知道「你在哪裡」。 最常見的方法有兩種: 紅外線感應 :在地面下方埋紅外線接收器,你走過時阻擋光線,系統就知道有人在這個位置。缺點是只能測「有沒有人」,不能測「人在哪一個方向」。 深度相機(RealSense / Kinect) :像 Xbox 的體感相機,透過紅外線測量每一個點到你相機的距離,生成一張「深度地圖」。軟體在深度地圖裡找出人體的位置,然後算出座標。 DIY 版本 :一塊 Arduino + 超音波感測器(HC-SR04,大約 60 元)就能做到基本的「有人靠近」偵測。 原理二:控制回應 知道你在哪裡之後,系統要決定「要做什麼回應」。 TeamLab 的做法是 :不是「觸發」,而是「強度變化」 。 傳統的感應燈:感應到人 → 燈全亮 → 人離開 → 燈全滅。 TeamLab 的邏輯:感應到人 → 燈慢慢變亮(0.5 秒)→ 人持續在 → 維持亮度 → 人離開 → 慢慢變暗(2 秒)。 「慢慢」是關鍵。瞬間變化讓人注意到「科技」;緩慢變化讓人以為「這個空間有生命」。 這就是「驚奇設計」的核心: 時機對了,物理反應看起來像生物反應。 原理三:集體行為 最後一個秘密:TeamLab 的裝置很少只有一個「回應」。 通常會有 100-500 個元素(燈、花、光點)。每個元素各自計算自己與你的距離,決定自己的亮度或顏色。 當 500 個燈各自以稍微不同的速度亮起和暗下,你看到的不是「一個燈亮了」,而是「一片森林在你腳下呼吸」。 心理錯覺 :你把「一群各自輕微不同步的簡單反應」,詮釋成「一個整體有意志的生物」。 用 Arduino 自己做一個迷你版 材料: Arduino Uno(大約 200 元) 超音波感測器 HC-SR04(大約 60 元) LED 燈 x 3(大約 15 元) 麵包板和杜邦線 原理很簡單: 超音波感測器偵測距離 距離越近,LED 越亮(用 PWM 訊號控制) 距離越遠,LED 越暗 int trig = 7 ; int echo = 6 ; int led = 9 ; void setup () { Serial . begin ( 9600 ); pinMode ( trig , OUTPUT ); pinMode ( echo , INPUT ); pinMode ( led , OUTPUT ); } void loop () { digitalWrite ( trig , LOW ); delayMicroseconds ( 2 ); digitalWrite ( trig , HIGH ); delayMicroseconds ( 10 ); digitalWrite ( trig , LOW ); long duration = pulseIn ( echo , HIGH ); long distance = duration * 0.034 / 2 ; // 距離越近,LED 越亮 int brightness = map ( distance , 0 , 100 , 255 , 0 ); brightness = constrain ( brightness , 0 , 255 ); analogWrite ( led , brightness ); delay ( 50 ); } 這不是 TeamLab,但這是你自己做的「會呼吸的燈」。每個 maker 都是從這裡開始的。 庭庭:這個看起來很難 真的沒有你想的那麼難。 需要的東西全部可以在蝦皮買到,全部加起來大約 300 元。網路上有超多 Arduino 教學,關鍵字搜「Arduino 超音波 LED」就有幾十篇中文教學。 你不需要懂電子,只需要跟著步驟做,做完會有「哇,我自己做出了一個會亮的東西」的感動。 如果你想更進一步 TeamLab 的進入門檻其實不是技術,是「你要把技術藏在美學後面」。 推薦兩個方向可以繼續研究: p5.js + webcam :用 p5.js 讀取你的 webcam 影像,偵測顏色或移動。相當於用軟體做到 Kinect 的效果,零硬體成本。 Processing + 投影機 :把電腦畫面投射到牆上或地面上,加上感測器,就是一個簡單版互動投影。投影機在蝦皮一兩千元就有。 今日概念 :TeamLab 的魔法不是魔法,是三個原
开发者
【互動藝術 DIY】用 p5.js 做一塊會呼吸的粒子背景(無程式背景可)
【互動藝術 DIY】用 p5.js 做一塊會呼吸的粒子背景 先問自己:阿哲會想動手嗎? 看完這個效果,阿哲可能會想: 「那如果我把粒子排成自己的名字,滑鼠靠近時會散開嗎?」 這就是正確的方向—— 讓讀者想自己動手改參數 ,而不是背程式碼。 這個方法厲害在哪? p5.js 官網有很多炫技的粒子效果,但大部分只是給你看「很厲害」。 這次不一樣——我要教你 用最少程式碼,做出最有呼吸感的互動 。 秘密是:用「距離」控制行為,用「lerp」讓移動變溫柔。 教學順序 先建立粒子:讓一群點組成畫面 教動畫:用 sin() 做出呼吸節奏 教距離感:用 dist() 偵測滑鼠 教溫柔散開:用 lerp() 柔和移動,不是瞬移 最後加美感:透明度、殘影、暖色 第一步:讓粒子回家 class Particle { constructor ( x , y ) { this . homeX = x ; // 記住家的位置 this . homeY = y ; this . x = x ; this . y = y ; } // 讓粒子回家的力量 returnHome () { this . x = lerp ( this . x , this . homeX , 0.05 ); // 每次移動5%的距離 this . y = lerp ( this . y , this . homeY , 0.05 ); } show () { noStroke (); fill ( 255 , 180 , 120 , 200 ); // 暖橙色 ellipse ( this . x , this . y , 4 ); } } 第二步:偵測滑鼠距離 function draw () { for ( let p of particles ) { let d = dist ( mouseX , mouseY , p . x , p . y ); if ( d < 100 ) { // 滑鼠靠近時,輕輕推開 let force = 0.05 * ( 100 - d ) / 100 ; p . x += ( p . x - mouseX ) / d * force ; p . y += ( p . y - mouseY ) / d * force ; } p . returnHome (); p . show (); } } 第三步:加呼吸節奏 let breathPhase = 0 ; function draw () { breathPhase += 0.02 ; let breath = sin ( breathPhase ); // -1 ~ +1 來回循環 background ( 10 , 8 , 5 ); // 暖暗色背景 for ( let p of particles ) { let d = dist ( mouseX , mouseY , p . x , p . y ); if ( d < 100 ) { let force = 0.05 * ( 100 - d ) / 100 ; p . x += ( p . x - mouseX ) / d * force ; p . y += ( p . y - mouseY ) / d * force ; } p . returnHome (); p . show ( breath ); // 把呼吸相位傳進去 } } function show ( breath ) { noStroke (); // 呼吸時變亮,吐氣時變暗 let alpha = map ( breath , - 1 , 1 , 150 , 255 ); fill ( 255 , 180 , 120 , alpha ); ellipse ( this . x , this . y , 4 ); } 第四步:殘影效果 function draw () { // 不要每幀清掉背景,而是蓋一層半透明黑色 fill ( 10 , 8 , 5 , 30 ); rect ( 0 , 0 , width , height ); // ... 其餘粒子邏輯 } 這樣粒子移動時會留下淡淡的光跡——很有沉浸式裝置的 feel。 阿哲可以怎麼玩? 參數 預設值 改成... 效果 感知半徑 100px 50px 只有非常靠近才有反應 回家速度 0.05 0.02 超級慢,像在水裡 回家速度 0.05 0.2 快一點回覆 粒子數量 200 50 稀疏的星塵感 粒子颜色 暖橙 淡粉 更柔和的感覺 延伸練習 把粒子排成自己的名字 :讓粒子組成「阿哲」或英文字母輪廓,滑鼠靠近時文字散開,離開後慢慢聚回來。 滑鼠不是破壞者,是一陣風 :不只是排斥,而是讓粒子沿著滑鼠移動方向飄
AI 资讯
CDP Browser Control: Driving Real Chromium from Python
Playwright and Selenium are great until you hit bot detection. Google OAuth, Cloudflare, and Vercel checkpoints all flag headless browsers. Here's how to control a real Chromium instance via CDP using Python and websockets. Why Not Playwright? Playwright launches a headless browser with automation flags. Even in headed mode with Xvfb, Google detects it. The CDP Approach Launch Chromium with remote debugging: chromium-browser --user-data-dir = /path/to/profile --remote-debugging-port = 9222 --no-first-run Connect via WebSocket in Python: import asyncio , json , websockets , urllib . request async def get_page_ws (): resp = urllib . request . urlopen ( ' http://localhost:9222/json ' ) targets = json . loads ( resp . read ()) for t in targets : if t [ ' type ' ] == ' page ' : return t [ ' webSocketDebuggerUrl ' ] async def cdp_call ( ws , method , params = None ): msg_id = cdp_call . id = getattr ( cdp_call , ' id ' , 0 ) + 1 msg = { ' id ' : msg_id , ' method ' : method } if params : msg [ ' params ' ] = params await ws . send ( json . dumps ( msg )) while True : resp = json . loads ( await ws . recv ()) if resp . get ( ' id ' ) == msg_id : return resp Key Advantages Real browser fingerprint, no automation flags Persistent sessions, cookies survive across runs Google OAuth works, existing sessions carry over No bot detection, it IS a real browser Follow for more tutorials on browser automation and AI agent architecture.
AI 资讯
Framework-Specific Env Patterns
Your schema is portable. But each runtime loads environment variables differently. CtroEnv adapters bridge the gap — same validation logic, different data sources. Node.js: process.env + .env Files The @ctroenv/node adapter loads .env files and wraps process.env : import { defineEnv , string , number } from " @ctroenv/core " import { loadEnv } from " @ctroenv/node " const env = defineEnv ( schema , { source : loadEnv () }) loadEnv() resolves files in order: .env — shared defaults .env.{NODE_ENV} — environment-specific ( .env.development , .env.production ) .env.local — local overrides (gitignored) Later files override earlier ones. process.env takes precedence unless override: true . Monorepo Root loadEnv ({ path : " ../.. " }) // look up two directories for root .env Native Node 22+ Node 22 has built-in process.loadEnvFile() . Use native: true to delegate: loadEnv ({ native : true }) // uses process.loadEnvFile() if available Falls back to the custom parser on older Node versions. System Fallback By default, only file values are returned. With system: true , missing keys fall through to process.env : loadEnv ({ system : true }) Standalone Parser Use parseEnvFile() directly for custom file loading: import { parseEnvFile } from " @ctroenv/node " const content = readFileSync ( " .env.custom " , " utf-8 " ) const vars = parseEnvFile ( content ) Handles quotes, multiline values (backslash continuation), interpolation ( ${VAR} ), comments, and export prefix. Vite: Build-Time Validation The @ctroenv/vite plugin validates during the build: // vite.config.ts import { ctroenvPlugin } from " @ctroenv/vite " export default defineConfig ({ plugins : [ ctroenvPlugin ({ schema : " ./src/env.ts " }), ], }) If DATABASE_URL is missing, the build fails — no broken artifacts shipped. Schema Options Pass a file path or inline definition: // File path — imports the module, looks for `schema` export ctroenvPlugin ({ schema : " ./src/env.ts " }) // Inline definition ctroenvPlugin ({ schem
AI 资讯
Cutting OpenAI Costs From Scratch: What Nobody Tells You
Cutting OpenAI Costs From Scratch: What Nobody Tells You Three months ago I sat down with my finance lead and watched her scroll through our OpenAI invoice. The number was $14,200 for the month. That was the moment I knew we had a problem. Not a "maybe we should optimize" problem — a real, existential, "this kills our margins before we hit Series B" problem. I run a B2B SaaS platform that does a lot of LLM-powered document processing. Summarization, extraction, classification, the boring stuff that makes real money but burns tokens like crazy. We were routing everything through GPT-4o because, honestly, it was the path of least resistance when we started. Then the bills started arriving. This is the story of how I cut our LLM spend by 97%, the architecture decisions that made it possible, and the things I wish someone had told me before I started. The Math That Made Me Sweat Let me put actual numbers on the table. Here's what I was paying versus what I pay now: Model Provider Input $/M Output $/M vs GPT-4o GPT-4o OpenAI $2.50 $10.00 — GPT-4o-mini OpenAI $0.15 $0.60 16.7× cheaper DeepSeek V4 Flash Global API $0.18 $0.25 40× cheaper Qwen3-32B Global API $0.18 $0.28 35.7× cheaper DeepSeek V4 Pro Global API $0.57 $0.78 12.8× cheaper GLM-5 Global API $0.73 $1.92 5.2× cheaper Kimi K2.5 Global API $0.59 $3.00 3.3× cheaper Look at that DeepSeek V4 Flash row. 40× cheaper than GPT-4o. For comparable quality on the workloads I was running. I had been leaving 97.5% of my budget on the table. Doing the mental math: a $500/month OpenAI bill becomes $12.50. My $14,200 bill? Theoretically $355. That's not optimization, that's a different business. Why I Almost Didn't Do It Here's the thing nobody tells you about cost optimization at a startup: it's not a technical problem, it's a willpower problem. The reason I was paying OpenAI 40× too much wasn't because their API is hard to use. It was because switching felt risky. I had deadlines. I had a roadmap. I had investors asking about g
AI 资讯
Parsing and Rebuilding EPUB Files in Python: Lessons Learned
How we handle complex EPUB structures for AI translation without breaking navigation and metadata At LectuLibre , we built an AI‑powered book translation service. Users upload an EPUB, and our pipeline translates the text using LLMs like Claude and DeepSeek. That sounds straightforward until you have to parse and rebuild a valid EPUB without mangling the table of contents, internal links, or styles. I’m sharing the real‑world challenge we faced, how we chose our tooling, and the ugly corners we discovered when dealing with real‑world EPUB files. The Problem: EPUB is a Messy Zip File An EPUB is essentially a ZIP archive containing XHTML, CSS, images, and an OPF manifest. It’s a well‑defined standard (EPUB 3.2), but in practice publishers produce files that bend the rules: missing container.xml , inline styles that break after translation, and structural quirks that make parsing fragile. Our translation process needed to: Accept any EPUB the user throws at us. Extract all text content while preserving the exact structure. Send each paragraph to an LLM for translation. Re‑insert the translated text into the original XHTML files. Repackage everything into a new, valid EPUB. Step 4 is the tricky part: the translated text can be longer or shorter, it may contain characters that need escaping, and the surrounding markup must remain intact. Our Approach: Use ebooklib with a Dose of Defensive Coding We evaluated several Python libraries: epub (pypub) – too simple, no editing support. lxml + manual zip – too much boilerplate. ebooklib – full read/write with a clean API. We went with ebooklib . It provides an object‑oriented model of the EPUB structure, allows us to iterate over documents, and can write a new EPUB from the modified objects. The downside: its documentation is sparse and it can choke on malformed files. We had to layer on a lot of validation. Step 1: Loading and Validating the EPUB import ebooklib from ebooklib import epub def load_epub ( epub_path : str ) -> ep
AI 资讯
Mastering the "Quantified Self": Building a Blazing-Fast Heart Rate Dashboard with DuckDB and Streamlit
As programmers, we love data. We track our commits, our uptime, and our deployment frequencies. But what about our most important "server"—our heart? 💓 The "Quantified Self" movement has led to an explosion of wearable data. However, if you've ever tried to analyze raw heart rate CSVs (often sampled every few seconds), you'll quickly realize that standard relational databases or even pure Pandas can get sluggish once you hit that 100k+ row mark. In this tutorial, we are going to build a high-performance Quantified Self Dashboard . We will leverage DuckDB —the "SQLite for Analytics"—to perform vectorized execution on heart rate data, paired with Streamlit and Plotly for a slick, interactive frontend. We’ll focus on Python data engineering , time-series analysis , and fast SQL processing . Why DuckDB? 🦆 Traditional databases are row-based, which is great for transactions but terrible for analytical queries. DuckDB is a columnar-vectorized query engine . This means it processes data in chunks (vectors) and utilizes modern CPU instructions (SIMD) to crunch numbers at speeds that make standard Python loops look like they're standing still. The Architecture Here is how our data pipeline flows from raw pixels (well, raw CSV rows) to actionable insights: graph TD A[Raw Heart Rate CSVs] -->|Direct Ingestion| B(DuckDB Engine) B -->|Vectorized SQL Execution| C{Data Aggregation} C -->|Moving Averages/Outliers| D[Streamlit App State] D -->|Plotly| E[Interactive Visualization] E -->|User Input| D Prerequisites 🛠️ Ensure you have the following stack installed: Python 3.9+ DuckDB : For the heavy lifting. Streamlit : For the UI. Plotly : For the beautiful charts. pip install duckdb streamlit plotly pandas Step 1: Ingesting 100,000+ Data Points in Milliseconds One of the coolest features of DuckDB is its ability to query CSV files directly without a formal "import" step. This is a game-changer for developer productivity. import duckdb import pandas as pd # Let's assume 'heart_rate.cs
开发者
Array Methods in JS - Part 2
JavaScript Array Search Methods What are Array Search Methods? Array Search Methods are used to: Find the position (index) of an element. Check whether an element exists. Retrieve an element that satisfies a condition. Find the index of an element that matches a condition. Search from the beginning or the end of an array. Common Array Search Methods Method Purpose Returns indexOf() Finds the first occurrence of a value Index or -1 lastIndexOf() Finds the last occurrence of a value Index or -1 includes() Checks whether a value exists true / false find() Finds the first matching element Element or undefined findIndex() Finds the index of the first matching element Index or -1 findLast() (ES2023) Finds the last matching element Element or undefined findLastIndex() (ES2023) Finds the last matching index Index or -1 1. Array.indexOf() Definition The indexOf() method searches an array for a specified value and returns the index of its first occurrence . If the value is not found, it returns -1 . Syntax array . indexOf ( searchElement ) array . indexOf ( searchElement , startIndex ) Parameters Parameter Description searchElement Value to search for startIndex (optional) Index where the search starts Returns Index of the first matching element. -1 if not found. Internal Working Suppose: let fruits = [ " Apple " , " Orange " , " Mango " , " Orange " ]; Memory: Index 0 → Apple 1 → Orange 2 → Mango 3 → Orange When: fruits . indexOf ( " Orange " ); JavaScript starts from index 0 : Apple ❌ Orange ✅ Found Stops immediately and returns: 1 Example let fruits = [ " Apple " , " Orange " , " Banana " ]; console . log ( fruits . indexOf ( " Orange " )); Output 1 Example - Not Found let fruits = [ " Apple " , " Orange " ]; console . log ( fruits . indexOf ( " Mango " )); Output -1 Example - Start Position let fruits = [ " Apple " , " Orange " , " Banana " , " Orange " ]; console . log ( fruits . indexOf ( " Orange " , 2 )); Output 3 Real-Time Example Suppose an e-commerce site wants to
AI 资讯
linux lab
Lab 1 – Linux Navigation & Files (20 points) Task 1 Create the following structure. /home/student/ ├── project │ ├── logs │ ├── scripts │ └── backup Requirements create all directories create app.log error.log install.sh inside correct folders. Task 2 Move app.log into backup Task 3 Delete error.log Task 4 Find install.sh using only one command. Lab 2 – Permissions (20 points) Create secret.txt Requirements Owner read/write Group read Others no access Verify permissions. Create a new user developer Switch to that user. Can the user read secret.txt Explain why. Lab 3 – Processes (20 points) Start a process Example sleep 500 Questions Find PID Kill the process Verify it stopped. Bonus Find the top five processes using the most memory. Lab 4 – Disk Space (20 points) Create a directory practice Generate a file about 100 MB. Questions How much disk space is used? How much free disk space remains? Which command shows directory size? Lab 5 – Networking (30 points) Find Your hostname private IP default gateway DNS server Ping 8.8.8.8 Questions Did it work? Ping google.com If this fails but 8.8.8.8 works, what is the problem? Display All listening ports. What service is listening on port 22? Lab 6 – Troubleshooting (40 points) Scenario 1 A user says "Internet is not working." Show the commands you would run. Expected ideas ip addr ping 8.8.8.8 ping google.com ip route cat /etc/resolv.conf Explain each step. Scenario 2 A website is down. Questions How do you verify server is running? nginx is running? port 80 is listening? firewall issue? logs? Commands should include systemctl status nginx journalctl -u nginx ss -tuln curl localhost systemctl restart nginx Scenario 3 SSH stopped working. How would you troubleshoot? Expected ping server ssh localhost systemctl status ssh ss -tulpn journalctl -xe systemctl restart ssh Lab 7 – Mixed Practical (Best Assessment) Tell students: You are the new Junior DevOps Engineer. The manager asks you to prepare a server. Complete all tasks. Ta
开源项目
Docs as Code: Build a CI/CD Pipeline for Your Documentation
Your code has CI/CD. Your docs don't. Every modern engineering team has automated builds, tests, and deployments for their code. But documentation? That's still someone manually exporting a PDF, uploading it to Confluence, and hoping it's the latest version. This post shows you how to treat documentation like code: version-controlled Markdown in a Git repo, automatically rendered to branded PDFs on every push. No manual steps, no stale documents. The stack PaperQuire gives you three tools that work together: .paperquire.yml — project config that locks in your template, branding, and document options CLI — paperquire render and paperquire batch for scripting and local builds GitHub Action — paperquire/render-action for automated builds in CI Each one builds on the previous. The config file means no one has to remember flags. The CLI means you can test locally. The action means it happens automatically. Step 1: Add a project config Drop a .paperquire.yml in your repo root. Every render — GUI, CLI, and CI — picks up these settings automatically: template : corporate toc : true toc-depth : 3 h1-page-break : true cover : title : " Project Documentation" author : " Engineering Team" branding : primary-color : " #2563eb" This is your single source of truth for how documents look. Change it once, and every PDF across every environment updates. Step 2: Test locally with the CLI Before committing, verify your docs render correctly: # Render a single file paperquire docs/architecture.md -o out/architecture.pdf # Batch render the entire docs directory paperquire batch ./docs -o ./out # Dry run — validate without producing output paperquire batch ./docs --dry-run The CLI reads .paperquire.yml automatically. The output is identical to what CI will produce. Step 3: Automate with the GitHub Action Add one workflow file and your docs build themselves: # .github/workflows/docs.yml name : Build Documentation on : push : paths : - ' docs/**/*.md' - ' .paperquire.yml' jobs : render : ru
AI 资讯
How to Stream & Flatten 1GB+ JSON to CSV in the Browser Without Memory Leaks
As developers, data engineers, or analysts, we’ve all been there: you download a massive database export, a logging stack dump, or a transaction archive, only to find it's a multi-gigabyte JSON file. You try to import it into a spreadsheet or run it through a standard online converter, and boom—your browser tab freezes, crashes, or shows the dreaded "Out of Memory" screen. Even worse, if you try to use standard cloud-based online tools, you might have to wait for a 500MB upload to complete, only to hit a rigid file-size cap or, worse, compromise sensitive data privacy by uploading corporate logs or database records to a third-party server. In this guide, we will explore: Why large JSON files crash standard parsers (the V8 heap limit problem). How streaming architectures solve this by reading data chunk-by-chunk. NDJSON (JSON Lines) vs. JSON Arrays and how to stream them. A browser-native, 100% offline tool to convert large JSON to CSV instantly: Parsify's Large JSON Stream Converter . How to implement your own basic browser-based JSON streaming parser in JavaScript. 1. The Anatomy of a Memory Crash (Why JSON.parse Fails) If you are using JavaScript or Node.js, the simplest way to read and parse a JSON file is to load the file into memory and run JSON.parse(). const fs = require ( ' fs ' ); // Naive approach: Will crash on a 1GB+ file fs . readFile ( ' database-dump.json ' , ' utf8 ' , ( err , data ) => { if ( err ) throw err ; // POINT OF FAILURE: V8 Heap Out of Memory const records = JSON . parse ( data ); records . forEach ( record => { // Process record... }); }); This works fine for small config files. But once your JSON file reaches 100MB, 500MB, or 1GB+, this approach is guaranteed to trigger a fatal crash: FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory Why does this happen? The String Duplication Overhead: When you load a 1GB file into memory, you first allocate ~1GB of RAM for the raw text string. The
AI 资讯
Creating Short Links with PHP: A Practical Guide
Creating Short Links with PHP: A Practical Guide URL shorteners are everywhere. They're used in marketing campaigns, email newsletters, QR codes, social media posts, affiliate links, and analytics platforms. While most developers are familiar with services like Bitly, integrating a URL shortener directly into your application is often much more useful. In this article, we'll build short links from PHP using an API. Why Create Short Links Programmatically? Creating links through a dashboard works for occasional usage. But applications often need to generate links automatically. Common examples include: Email campaigns User invitations Affiliate systems QR code generation Marketing automation Analytics tracking Customer portals An API allows applications to create and manage links without human interaction. The Traditional HTTP Approach Most URL shortener APIs work through simple HTTP requests. For example: $client = new GuzzleHttp\Client (); $response = $client -> post ( 'https://example.com/api/links' , [ 'headers' => [ 'X-Api-Key' => $apiKey , 'Content-Type' => 'application/json' , ], 'json' => [ 'url' => 'https://example.com/article' ] ] ); $data = json_decode ( $response -> getBody (), true ); echo $data [ 'short_url' ]; This works. But once your application creates dozens or hundreds of links, the amount of boilerplate code starts growing. Using a PHP SDK A PHP SDK removes most of the repetitive work. Installation is usually straightforward: composer require lix-url/php-sdk Creating a link becomes much simpler: $link = $client -> links () -> create ([ 'url' => 'https://example.com/article' ]); echo $link -> shortUrl ; The SDK handles: Authentication HTTP requests Response parsing Error handling DTO mapping This allows your application code to remain clean. Creating Your First Short Link Let's imagine an application that sends invitation emails. $inviteLink = $client -> links () -> create ([ 'url' => 'https://myapp.com/invite/abc123' ]); echo $inviteLink -> short
AI 资讯
Deploying a Containerized Backend to a VPS with Docker Compose + GitHub Actions (A Beginner's Runbook)
This is a complete, copy‑pasteable guide for shipping a backend app to a single Linux server using Docker Compose , with a GitHub Actions pipeline that builds the image, scans it, and deploys it over SSH. It is written to be language- and framework-agnostic . The examples use a Node/TypeScript API with PostgreSQL, Redis, and a background worker, but the same shape works for Python/Django, Go, Java/Spring, Ruby, etc. Anywhere you see your-app , your-org , your-server-ip , or example.com , substitute your own values. Every file is included in full, and every non-obvious line is explained. The last section — Common errors and how to fix them — is the part most guides skip, and it is the part that will actually save your afternoon. All of it comes from a real deployment, mistakes included. 1. The mental model (read this first) Before any YAML, understand the shape of what we're building. There are only three places anything lives: Your Git repository the single source of truth. Your code, your Dockerfile , your docker-compose.prod.yml , and your CI/CD workflows all live here. You only ever edit things here. A container registry (we use GHCR, GitHub's built-in registry) — a warehouse for the built application image. CI builds the image and pushes it here. Your server (a plain Linux VPS) pulls the image from the registry and runs it. It holds exactly two files: the compose file (copied from your repo by the pipeline) and a secrets file ( .env ) that never leaves the server. The flow, end to end: You push to main │ ▼ GitHub Actions: build image ──► push to registry ──► scan image │ ▼ GitHub Actions: SSH to server ──► pull image ──► run migrations ──► start app ──► health-check The single most important rule: the server is disposable . You never hand-edit files on the server, because the pipeline overwrites them from the repo on every deploy. If you fix something by editing on the server, the next deploy silently erases your fix. Edit in the repo, commit, push. (I learned t
开发者
🍼 宝宝的小仓库 —— 幼师带你认识"NAS"
🌟 开场白:你有没有这样的烦恼? 小朋友们,有没有遇到过这种情况: 📱 手机里的照片太多, 装不下了 ! 💻 电脑里的视频, 换了电脑就找不到了 ! 👨👩👧 爸爸妈妈爷爷奶奶,想看同一个视频, 要互相发来发去 ! 有没有一个地方, 所有人都能存东西、随时取东西 ? 有!那就是 —— 🏠 NAS N etwork A ttached S torage 网络附加存储 (但老师觉得叫它 "家庭小仓库" 更好懂!) 🎒 第一课:NAS到底是个啥? 先想象一个场景 👇 幼儿园有个 大储物柜 🗄️ 每个小朋友都有 自己的格子 在教室里、在走廊里、甚至在家里 只要知道密码,随时可以取东西! 老师也可以把作业放进去,大家一起看 这个 "随时随地都能访问的大储物柜" ,就是 NAS ! 👩🏫 老师比喻总结: 普通硬盘 NAS 只插在一台电脑上用 接在路由器上,全家都能用 只有这台电脑能访问 手机、平板、电脑都能访问 出门就用不了 出门在外也能访问 🌍 像你自己的小书包 🎒 像幼儿园的公共储物柜 🗄️ 🏗️ 第二课:NAS长什么样? NAS其实就是一台 特别的小电脑 🖥️ 普通电脑 = 有屏幕、键盘、鼠标 NAS = 没有屏幕!没有键盘!没有鼠标! 只有一个"装硬盘的盒子" + 网线插口 ┌─────────────────┐ │ NAS 小盒子 │ │ ┌───┐ ┌───┐ │ │ │硬 │ │硬 │ │ ← 装了好几块硬盘 │ │盘1│ │盘2│ │ │ └───┘ └───┘ │ │ 💡 小灯灯 │ └────────┬────────┘ │ 网线 │ 📡 路由器 / | \ / | \ 手机 电脑 平板 👩🏫 老师比喻: NAS = 一个 装了很多大肚子的小机器人 🤖 它不需要眼睛(屏幕)、不需要手(键盘) 它只需要 网线 ,就能默默给全家服务 💪 🤯 第三课:重点来了! NAS 其实就是一个"网页操作系统"! 小朋友们先回忆一下上次学的 👇 网页 = HTML骨架 + CSS衣服 + JavaScript动作 然后放在 服务器 上,用 浏览器 访问 现在老师告诉你一个秘密 🤫 NAS 本身就是一台服务器! 你管理NAS,不需要接显示器 直接打开浏览器,输入地址 NAS就把它的"控制面板"当网页显示给你! 就像这样 👇 你打开浏览器,输入:http://192.168.1.100 ↓ NAS的"网页控制面板"出现了! 有文件管理、有设置、有相册... 跟用网站一模一样! 👩🏫 老师比喻: NAS = 幼儿园的 全自动智能储物柜 🗄️✨ 你不用去柜子跟前 在家用手机扫一下 → 柜子的 控制屏幕传到你手机上 你在手机上点点点 → 柜子乖乖开门取东西 这个"控制屏幕",就是NAS的 网页界面 ! 🍳 第四课:前端和后端 —— NAS版本! 还记得上次说的"大厨房"吗? 你(浏览器)点菜 → 厨房(服务器)做好送来 NAS也是一样的,分成 前端 和 后端 两个部分! 🎨 前端 —— 你看见的那一面 ┌─────────────────────────────────┐ │ NAS 网页控制台 │ │ ┌─────┐ ┌─────┐ ┌─────┐ │ │ │📁文件│ │🖼️相册│ │🎬视频│ │ │ └─────┘ └─────┘ └─────┘ │ │ ┌─────────────────────────┐ │ │ │ 这里显示你的文件列表 │ │ │ └─────────────────────────┘ │ │ [上传] [下载] [删除] │ └─────────────────────────────────┘ 这些你能看见的 = 前端 🎨 👩🏫 老师比喻: 前端 = 储物柜 正面的触摸屏 📱 漂漂亮亮的按钮、图标、列表 你能看见、能点的,都是 前端 ⚙️ 后端 —— 藏在里面干活的 你点击"上传文件" 👆 ↓ 前端说:"收到!我去通知后端!" ↓ 后端收到指令 ⚙️: 1. 检查你有没有权限 🔐 2. 找到硬盘上空的位置 💾 3. 把文件存进去 ✅ 4. 告诉前端:"存好啦!" ↓ 前端显示:"上传成功!✅" 👩🏫 老师比喻: 后端 = 储物柜 里面的机械手臂 🦾 你在触摸屏上点"放东西进去" 机械手臂默默把东西码放整齐 你看不见它,但它一直在努力工作! 🔄 前端和后端怎么说话? 前端(网页) ←→ 后端(NAS系统) ↑ ↑ 你能看见的界面 藏在机器里的程序 它们用"API"互相说话 API = 两个人之间的"对讲机" 📻 👩🏫 老师比喻: 角色 NAS里是谁 幼儿园比喻 前端 网页控制台界面 储物柜的触摸屏 📱 后端 NAS的操作系统程序 里面的机械手臂 🦾 API 前后端通信接口 触摸屏和手臂之间的对讲机 📻
AI 资讯
Where AI code intelligence fits in your AI developer roadmap 2026
Code generation tools are powerful and can significantly accelerate development work. Their main limitation is not capability, but context. Without access to organizational knowledge, internal conventions, and system-specific patterns, generated output often requires careful verification. This is why generation tools work best when paired with AI code search, as the latter provides immediate visibility into the existing codebase, making it easier to align AI-generated changes with the realities of the system. In regulated environments, the adoption model may look different. Security or compliance constraints can restrict the use of cloud-based code generation. AI code search still improves developer efficiency across implementation, review, and documentation workflows by enabling fast navigation and comprehension of large multi-repository codebases. What is AI code intelligence, and how does it help in practice? Code intelligence tools help developers find and understand existing code. If a search returns a poor result, the developer simply searches again. Nothing changes in your codebase. Code search also integrates without friction. No new review processes, no changes to CI/CD, no new permissions. Generation tools require policies for AI-written code that stall many pilots before they produce data. Clear metrics for measuring AI code intelligence An AI code search assistant only reads your code, which makes it much easier to measure its impact. You can track simple things like: • how long it takes to find the right piece of code • how quickly new developers get up to speed • how many hours the team spends searching each week If your team of 20 developers each spends 5 hours weekly understanding code, that equals 100 hours of engineering time. At $75 per hour, that’s $360,000 per year. Assume 10% reduction recovers $36,000, a realistic input for an AI ROI framework for tech teams. Faster path to Phase 3 expansion Code generation tools face tough questions from secu
AI 资讯
From Root CA to User Authorization in nginx+apache. Part 2: Certificate Revocation, CRL and OCSP
A follow-up to Part 1 ( EN on LinkedIn · RU on Habr ), where we stood up a two-tier PKI: a Root CA and three intermediate CAs — Person, Server and Code. At the end of Part 1 I promised we'd learn to revoke certificates and run OCSP. That's what we'll do here. Like Part 1, this article is meant as a hands-on manual : for every command and extension we touch, there's an extended reference of the parameters you can actually use — with syntax, allowed values, defaults and gotchas. If you don't need a given option right now, just skim past the table; it's there so you don't have to dig through man later. Each section has the same shape: first the working commands for the common case, then the full parameter reference. Tested on versions. Flag names, defaults and extension syntax were verified against the official documentation of OpenSSL master , plus nginx and Apache mod_ssl. OpenSSL evolves per branch: anything marked "OpenSSL 4.0 / master" (for example the nonss qualifier on authorityKeyIdentifier ) is not yet available in the stable 3.x line. If you're on OpenSSL 3.0–3.6, double-check the disputed options with openssl <cmd> --help or your version's man before copy-pasting config. The numeric openssl verify error codes above 40 also shifted between branches — confirm them against your version's header. In this part: How a revoked certificate differs from an expired one, and why we need two mechanisms — CRL and OCSP. Adding the distribution points (CDP) and AIA to the config so issued certificates "tell" verifiers where to check them. Revoking a certificate and working with the CA database. Generating a CRL and inspecting it with openssl crl . Checking revocation with openssl verify . Running an OCSP responder: issuing its certificate, starting the daemon, querying status. Publishing the CRL and OCSP over HTTP (nginx), configuring OCSP stapling and revocation checking on the web server. All paths, file names and config sections are the same as in Part 1. Where you name
开发者
Type-Safe Env Vars Without Zod
Most TypeScript projects treat environment variables like second-class citizens. They're string | undefined everywhere, asserted with ! and parsed with parseInt() . TypeScript can't help because process.env is typed as Record<string, string | undefined> . Schema-based validation fixes this. But most solutions bring zod, which adds 50 KB to your bundle. CtroEnv does it with zero dependencies and 6.5 KB gzipped. How Inference Works The type system reads each validator's configuration at compile time: type InferredValue < V > = V extends Validator < infer T > ? V [ " metadata " ] extends { hasDefault : true } ? T // .default() → non-nullable : V [ " metadata " ] extends { optional : true } ? T | undefined // .optional() → nullable : T // required → guaranteed present : never This means the schema defines the type: const env = defineEnv ({ PORT : number (). port (). default ( 3000 ), // ^? number — default makes it always present DB_URL : string (). url (), // ^? string — required DEBUG : boolean (). optional (), // ^? boolean | undefined — optional NODE_ENV : pick ([ " dev " , " prod " , " staging " ] as const ), // ^? "dev" | "prod" | "staging" — exact union }) No interface Env { ... } . No z.infer<typeof Schema> . Add a new validator, and the type updates automatically. Default vs Optional vs Required The three states and their types: Declaration Type Runtime behavior string() string Required — throws if missing string().optional() `string \ undefined` string().default("x") string Falls back to "x" string().optional().default("x") string Default overrides optional TypeScript reflects this exactly. Optional gives you | undefined . Default removes it. The as const Requirement pick() needs as const to preserve literal types: pick ([ " dev " , " prod " ]) // type: string — widened pick ([ " dev " , " prod " ] as const ) // type: "dev" | "prod" — exact union Without as const , TypeScript widens the array to string[] and you lose the union. Exhaustive Checking With exact l
AI 资讯
React useIsomorphicLayoutEffect: Fix the SSR useLayoutEffect Warning (2026)
You added a useLayoutEffect to measure a tooltip, shipped it, and the next time your Next.js (or Remix, or Gatsby) dev server rendered a page on the server, the console lit up: Warning: useLayoutEffect does nothing on the server, because its effect cannot be encoded into the server renderer's output format. This will lead to a mismatch between the initial, non-hydrated UI and the intended UI. To avoid this, useLayoutEffect should only be used in components that render exclusively on the client. The warning is correct, the suggested fix ("only use it on the client") is unhelpful, and the obvious workaround — just switch to useEffect — quietly reintroduces the visual bug you used useLayoutEffect to kill in the first place. useIsomorphicLayoutEffect is the small hook that resolves the standoff. This post explains exactly why the warning happens, why the two naive fixes are both wrong, and what the one-line hook actually does. Why useLayoutEffect Exists At All React gives you two effect hooks that look nearly identical: useEffect runs after the browser has painted. Its callback is queued and fires asynchronously once the frame is on screen. useLayoutEffect runs before the browser paints, synchronously, right after React has mutated the DOM but before the user sees anything. That timing difference is the whole point. If you need to read layout — getBoundingClientRect , scrollHeight , the measured width of a node — and then write a style based on it, you have to do it before paint. Otherwise the user sees one frame of the wrong layout, then a flicker as your useEffect corrects it. The canonical example is a tooltip that has to position itself relative to its own measured size: function Tooltip ({ targetRect , children }) { const ref = useRef < HTMLDivElement > ( null ); const [ pos , setPos ] = useState ({ top : 0 , left : 0 }); useLayoutEffect (() => { const { height , width } = ref . current ! . getBoundingClientRect (); // place the tooltip above the target, centered s
AI 资讯
Apache Iceberg in Production: Compaction, Catalogs, and the Pitfalls Nobody Warns You About
Apache Iceberg looked like the answer to everything when we first adopted it. Open format, ACID transactions, time travel, schema evolution. We migrated our Hive tables, ran a few queries, and felt good about life. Three months later, our S3 costs doubled. Queries that used to take 10 seconds were taking 4 minutes. Metadata operations were timing out. Nobody on the team could explain why. That was the beginning of a real education in how Iceberg actually behaves in production. This post covers what I wish someone had told us before we went all-in. The Small Files Problem Is Not Optional Iceberg is append-friendly by design. Every micro-batch write, every streaming insert, every incremental load creates new Parquet files. Each file also gets its own metadata entry. After a week of hourly loads, you might have 10,000 files in a single partition where you wanted 20. The result: Iceberg's metadata layer has to plan queries across thousands of file manifests. Planning takes longer than execution. Your 10-second query becomes a 4-minute query, and your users start filing tickets. Fix: automate compaction from day one. In Spark, compaction is called rewrite_data_files . The basic call looks like this: -- Run this on a schedule, not on-demand CALL iceberg_catalog . system . rewrite_data_files ( table => 'analytics.events' , strategy => 'binpack' , options => map ( 'target-file-size-bytes' , '134217728' , -- 128MB target per file 'min-input-files' , '5' -- only compact if 5+ small files exist ) ) Target file size of 128MB to 512MB is the practical sweet spot. Smaller than that, you still have too many files. Larger, and your query engines cannot parallelize reads efficiently. If you are not using Spark, PyIceberg exposes compaction through the table maintenance API (as of 0.7.x). For Flink or Trino-only shops, schedule compaction as a separate Spark job. Yes, it is annoying, but it is the right call. Hidden Partitioning Is the Feature You Are Probably Ignoring Old Hive parti