今日已更新 412 条资讯 | 累计 19972 条内容
关于我们

标签:#vs

找到 128 篇相关文章

AI 资讯

Why Cursor Keeps Writing Prototype Pollution Into Your Merge Code

TL;DR AI editors love writing recursive merge helpers, and most of them are open to prototype pollution. One crafted JSON payload with a proto key can flip an isAdmin flag on every object in your app. Guard the keys or merge into a structure that has no prototype. It is a three-line fix. I asked Cursor for a "deep merge two config objects" helper last week. It gave me eight lines that worked perfectly on my test data. It also gave me a prototype pollution hole big enough to walk through. The function looked fine. That is the problem. Prototype pollution does not show up when you run the happy path. It shows up when someone sends you a key called proto . The code Cursor handed me (CWE-1321) function merge ( target , source ) { for ( const key in source ) { if ( source [ key ] && typeof source [ key ] === ' object ' ) { target [ key ] = merge ( target [ key ] || {}, source [ key ]); } else { target [ key ] = source [ key ]; } } return target ; } Now feed it something a user controls, like a parsed JSON request body: merge ({}, JSON . parse ( ' {"__proto__": {"isAdmin": true}} ' )); ({}). isAdmin ; // true You did not set isAdmin on anything. You set it on every object in the process. Any later check like if (user.isAdmin) now passes for objects that never had that field. Why this keeps happening The recursive merge pattern is all over old blog posts and StackOverflow answers, and almost none of them guard the special keys. The model learned merge from that corpus. It reproduces the shape of the answer, including the missing check, because the missing check never breaks a test. A for...in loop also walks keys like proto when they arrive as ordinary string properties from JSON.parse, which is exactly how the payload gets in. The fix Skip the dangerous keys, or merge into something that has no prototype to pollute. function merge ( target , source ) { for ( const key in source ) { if ( key === ' __proto__ ' || key === ' constructor ' || key === ' prototype ' ) continue ;

2026-07-10 原文 →
开发者

Introducing OrBit: A Local-First Workspace Synchronization Engine for Developers

As developers , we often face challenges keeping our workspaces perfectly synchronized across devices and collaborators. Whether it’s dealing with slow cloud sync, merge conflicts, or latency issues, these problems can disrupt our workflow and productivity. That’s why I’m excited to introduce OrBit , a local-first workspace synchronization engine designed to keep your development environments in sync with sub-millisecond latency — all while supporting offline work and peer-to-peer collaboration. What is OrBit ? OrBit is built around a multi-layered architecture that combines the power of Rust, Tauri, and VS Code to deliver a seamless synchronization experience: Rust-based local watcher daemon: Monitors file system changes with kernel-level events for ultra-low latency. Tauri-based native desktop dashboard: Provides a lightweight, secure, and cross-platform interface to manage your sync settings. VS Code extension: Integrates directly with your editor for smooth, real-time syncing of your code workspace. Unlike traditional cloud-based sync solutions, OrBit uses peer-to-peer connections and Conflict-free Replicated Data Types (CRDTs) to ensure your workspaces stay consistent even during network partitions or offline periods. Key Features Real-time sync with sub-millisecond latency: Changes propagate instantly across your devices. Offline support: Work uninterrupted without internet, with automatic merging when reconnected. Conflict resolution: CRDTs handle concurrent edits gracefully, preventing data loss. Native desktop and editor integration: Manage sync easily via the desktop app and VS Code extension. Peer-to-peer architecture: No heavy cloud servers required, enhancing privacy and speed. Why OrBit ? OrBit is designed for developers who demand speed, reliability, and seamless collaboration. It eliminates the frustration of slow syncs and merge conflicts, letting you focus on coding. Whether you’re working solo across multiple devices or collaborating with a team,

2026-07-10 原文 →
AI 资讯

10 Minimalist Extensions for VS Code / Cursor to Maximize Focus

We have all been there: you open your editor to write a simple feature, and within ten minutes, your screen is a chaotic mess. You are drowning in squiggly red lines, bright rainbow bracket lines, a crowded sidebar, Git blame popups blocking your text, and terminal notifications screaming for attention. Modern IDEs like VS Code and Cursor are incredibly powerful, but out of the box, they are built to distract you. If you want to achieve true flow state, you need to strip away the noise. Here are 10 minimalist extensions built for both VS Code and Cursor that are explicitly engineered to eliminate clutter, reduce cognitive load, and help you focus on the only thing that matters: the code. Interface and Zen Mode Cleansers 1. Zen Mode (Built-in, but needs tweaking) The Vibe: Complete visual isolation. What it does: While not an external extension, true minimalism starts here. Hitting Cmd+K Z (or Ctrl+K Z) instantly hides the activity bar, status bar, sidebar, and editor tabs, leaving you with nothing but your code centered on the screen. The Focus Trick: Go into your settings and toggle zenMode.hideLineNumbers to true to get rid of the left-hand numbering margin entirely for deep reading sessions. 2. APC Customize UI++ The Vibe: Pixel-perfect control over editor bloat. What it does: If you love the layout of hyper-minimalist editors like Zed but want to keep the power of Cursor or VS Code, this is your holy grail. It allows you to shrink font sizes of the UI independently from your code, hide specific layout borders, trim the massive top title bars, and customize panel padding to give your code room to breathe. 3. Customize UI / Active Bar Hidden The Vibe: Moving target elements out of sight. What it does: The left-hand Activity Bar (with the extensions, search, and source control icons) is a constant source of colorful badge notifications. Use this to hide it entirely. You can easily trigger those panels via keyboard shortcuts (Cmd+Shift+E for explorer, Cmd+Shift+F fo

2026-07-09 原文 →
AI 资讯

Signal vs. Noise in Code Evaluations: How to Accurately Measure Developer Skill

Originally published on tamiz.pro . The Signal: Core Developer Competencies Effective code evaluations must identify signal - the skills that directly impact software quality and long-term maintainability. Focus on: Problem-Solving Approach : How candidates break down complex problems Code Structure : Organization, modularity, and separation of concerns Edge Case Handling : Proactive identification of boundary conditions Test Coverage : Implementation of meaningful unit/integration tests Performance Awareness : Appropriate algorithm selection and resource management These elements predict real-world engineering capabilities, not just syntax mastery. The Noise: Common Evaluation Pitfalls Avoid overemphasizing noise - factors that correlate weakly with actual job performance: Noise Factor Why It Fails Signal Alternative Coding style Reflects personal preference Consistency within project conventions Syntax errors Easily fixed with linters Code correctness after tooling Solution speed Varies by individual Final solution quality Language trivia Library/framework knowledge changes Core programming principles Interview anxiety Doesn't reflect daily work Paired programming sessions Measuring Signal Effectively Task Design : Create realistic coding challenges that mirror production problems Rubric-Based Evaluation : Use weighted scoring matrices focused on signal factors Code Review Simulations : Evaluate candidates' ability to interpret and improve existing codebases Collaboration Metrics : Track communication clarity during pair programming sessions Iterative Development : Assess how well candidates refine solutions based on feedback Signal Amplification Techniques Time-Bounded Challenges : Set strict time limits to reduce focus on perfectionism Tooling Freedom : Allow candidates to use their preferred IDEs and debugging tools Post-Coding Debrief : Ask candidates to explain their design choices and tradeoffs Follow-Up Questions : Test understanding of implementation decis

2026-07-09 原文 →
AI 资讯

CAP Theorem — Consistency vs Availability

CAP: khi network partition xảy ra, chỉ được chọn C hoặc A — không có "cả ba" CAP theorem là kết quả của Gilbert và Lynch (formal proof năm 2002 cho conjecture Brewer đưa ra ở PODC keynote 2000): một hệ phân tán có shared state không thể đồng thời cung cấp cả linearizable Consistency , Availability (mọi request tới non-failing node đều trả lời không lỗi), và Partition tolerance khi có network partition. Trong thực tế, partition là thứ sẽ xảy ra — TCP retransmit, GC pause dài, switch chết, cross-region link flap — nên P là ràng buộc bắt buộc, không phải lựa chọn. Câu hỏi thật là: khi partition xảy ra, hệ thống hy sinh C hay A? Chọn sai gây ra hai loại incident khác nhau: chọn AP mà dữ liệu cần linearizable dẫn tới double-charge, oversell inventory, split-brain; chọn CP mà dữ liệu chỉ cần eventually consistent dẫn tới downtime không cần thiết, user không đọc được profile của chính mình. Cơ chế hoạt động Định nghĩa formal theo Gilbert và Lynch: Consistency ở đây là linearizability : mọi read sau một write hoàn tất phải thấy giá trị mới (hoặc mới hơn); tồn tại một total order các operation phù hợp với real-time. Availability : mọi request tới một non-failing node phải nhận response (không timeout, không error). Partition tolerance : hệ thống tiếp tục hoạt động dù network drop tuỳ ý message giữa các node. Proof intuition: giả sử có 2 node N1, N2 giữ cùng key x=0 . Client ghi x=1 vào N1. Link N1 và N2 đứt. Một client khác đọc x từ N2. Nếu N2 trả về 0 thì không linearizable (mất C). Nếu N2 chờ đến khi thấy được N1 thì mất A. Nếu N2 từ chối phục vụ thì cũng mất A. Không có cách thứ ba. Trong hệ CP, mỗi write phải qua quorum (Raft, Paxos, ZAB); khi node bị isolate khỏi quorum, nó từ chối phục vụ để giữ linearizability: // etcd/Raft-style: khi mất quorum, leader step down và write fail resp , err := kv . Put ( ctx , "order/42" , "paid" ) if err != nil { // err là ErrLeaderChanged hoặc context.DeadlineExceeded khi ở minority side // client thấy unavailable — đúng contract CP re

2026-07-08 原文 →
AI 资讯

GitHub Copilot's enterprise managed-settings.json is now GA

GA in a sentence GitHub moved its enterprise managed-settings.json to general availability on July 1, giving GitHub Enterprise Cloud admins a single JSON file that overrides Copilot behaviour in VS Code and Copilot CLI for anyone holding a Copilot Business or Copilot Enterprise seat issued from the enterprise or one of its organizations. The changelog frames it as a place to define AI standards for the tenant. In practice it is a supported home for Copilot policy that shipped one setting at a time in beta up to this point. The five keys the file accepts Five keys are documented at GA: extraKnownMarketplaces , enabledPlugins , strictKnownMarketplaces , disableBypassPermissionsMode , and model . Together they configure trust for extra plugin marketplaces, the enabled-plugins list, strict enforcement of the known-good marketplace list, whether Copilot CLI and the VS Code extension can run in bypass-permission mode, and which model a user is allowed to pick. Value shapes are not enumerated in the changelog itself; the docs page is the reference for the schema. How the file reaches a client The file lives at copilot/managed-settings.json inside the .github-private repository of the organization the enterprise nominates for the role. There is a backward-compatible path at .github/copilot/settings.json for tenants already using the older layout. Copilot clients fetch the file from the server on every authentication, hold it in memory, and refresh it hourly, per the changelog. That server-side file takes precedence over the file-based config a user may have on their own machine. Setup runs through the AI Controls tab in enterprise settings, or the equivalent API endpoint, where an admin picks the hosting organization. Anyone who followed the June rollouts of disableBypassPermissionsMode and strictKnownMarketplaces will recognise the same file and the same repo. GA is what turns the plumbing into a supported product surface. Where it will trip you Two operational details are

2026-07-05 原文 →