telexed ~ cat / other★4 and up · hourly · UTC+09LIVE
TELEXED
All Other

Other

41 items
FILTER[All][Agents & tools][Models & API][Generative media][Infra & SaaS][ASO & growth][Indie business][Idea signals][Other][★6+ high-signal]
clear filters
Today3 dispatches
  • #0041OtherGeekNews

    Firefox 148 Starts Turning Off `asm.js` Optimization

    40radar

    Legacy asm.js still runs, but loses its fast path in Firefox. Old web games and compute-heavy demos should move to WebAssembly; new products can ignore this.

    • From Firefox 148, SpiderMonkey disables asm.js optimization by default, with removal planned later.
    • Compatibility remains because asm.js is a JavaScript subset; the breakage risk is performance, not execution.
    • Existing asm.js assets should be migrated to WebAssembly. For new builds, do not target asm.js.
    Source: news.hada.io/topic?id=29732Read original →
  • #0040OtherGeekNews

    `TabPFN`, Foundation Model for Tabular Data

    50radar
    TabPFNTabular ML model — fit/predict for classification and regression

    Classification and regression run through a scikit-learn-style fit/predict flow. Useful for quick baselines on small structured datasets before building a full ML pipeline.

    • TabPFN targets tabular data, not text or images; it fits churn, scoring, lead ranking, and internal ops data.
    • The fit/predict interface lowers integration cost for Python stacks already using scikit-learn.
    • TabPFN-2.6 was trained only on synthetic data, so production use still needs validation against real domain data.
    Source: news.hada.io/topic?id=29719Read original →
  • #0039OtherGeekNews

    Mini Shai-Hulud Returns: 314 `npm` Packages Compromised

    60radar

    A short publish window still pushed hundreds of malicious versions. Lockfiles, token hygiene, and dependency review matter before the next npm install.

    • The atool npm account was compromised on May 19, 2026, and malicious releases were pushed for about 22 minutes.
    • Attack automation produced 637 malicious versions across roughly 317 packages. Short-lived incidents still reach CI fast.
    • The payload was a 498KB obfuscated Bun script, matching scanner structure and regexes tied to Mini Shai-Hulud.
    • Targets included cloud credentials such as AWS keys. Rotate exposed tokens and audit recent installs from affected packages.
    Source: news.hada.io/topic?id=29709Read original →
Yesterday6 dispatches
  • #0038OtherGeekNews

    `Bambu Studio` Faces Broad AGPLv3 Compliance Challenge

    40radar
    Bambu Studio3D printing slicer — based on PrusaSlicer

    Copyleft obligations can reach bundled dynamic libraries and install info. If you fork AGPLv3 software, partial source drops are not enough.

    • AGPLv3 Corresponding Source covers code needed to generate, install, run, and modify the work, not just visible app changes.
    • A tightly coupled proprietary networking library may need source disclosure if it is dynamically linked into the modified app.
    • Forking strong-copyleft projects for commercial software demands release-process checks before binaries ship.
    Source: news.hada.io/topic?id=29694Read original →
  • #0037OtherGeekNews

    What's New in `Chrome` from Google I/O 2026

    50radar

    The web is shifting from human clicks to agent-driven browsing and AI-assisted development. Worth tracking before specs turn into defaults.

    • Paul Kinlan, who leads Chrome DevRel, framed the last 6 months as a fast reset for web development workflows.
    • One axis is preparing sites for agents that browse on users' behalf. Structured, machine-readable UX will matter more.
    • Another axis is developer tooling. Chrome is positioning DevTools around AI-assisted debugging and building, not just inspection.
    • The source is short and lacks API-level details, so this is a watchlist item rather than something to implement today.
    Source: news.hada.io/topic?id=29693Read original →
  • #0036OtherGeekNews

    JavaScript Debloating: Complexity, Libraries, and the WASM Trade-off

    40radar

    Small browser UIs can become heavy fast. WebAssembly helps, but async bridging to the JavaScript event loop keeps the payoff situational.

    • Nested syntax and callbacks make JavaScript complexity grow quickly; bundle size is often a design outcome, not just tooling noise.
    • Small UI surfaces can still pull in many libraries. Dependency defaults deserve review before reaching for another package.
    • WebAssembly opens the browser to other languages, but Pyodide-style async event-loop integration adds real coordination cost.
    Source: news.hada.io/topic?id=29675Read original →
  • #0035OtherGeekNews

    `Tachyon`, a Sampling Profiler Coming to `Python 3.15`

    40radar
    TachyonPython profiler — sampling view for multithread bottlenecks

    Stdlib profiling is moving closer to real multithreaded bottleneck hunting. Useful for Python-heavy services, but not an urgent stack change yet.

    • Tachyon is described as a sampling-based profiler added to the standard library, reducing the need for separate profiler setup.
    • The examples focus on visualizing multithreading bottlenecks, which matters more as GIL-free Python work becomes practical.
    • It also caught performance traps from OOP abstraction, a useful check before blaming infrastructure or database latency.
    Source: news.hada.io/topic?id=29673Read original →
  • #0034OtherSimon Willison

    `datasette-llm` `0.1a8` fixes response-chain context collection

    40radar
    datasette-llmDatasette plugin — connects LLM prompt context hooks

    Prompt context now captures full response chains. Small fix, but useful if you build LLM workflows on Datasette hooks.

    • llm_prompt_context() no longer drops parts of chained responses; context passed to prompts becomes more complete.
    • The release is a bug fix only, not a new workflow or model feature. Upgrade if this hook is in your path.
    • Scope is narrow: it matters for Datasette-based LLM apps, but has little impact outside that stack.
    Source: simonwillison.net/2026/May/19/datasette-llm/#atom-everytRead original →
  • #0033Otheryozm_it

    Reuse `TypeScript` types with five utility types

    40radar

    Small type transformations cover many form, list, and API DTO cases. Partial, Pick, and Omit reduce duplicate model types; useful for keeping small codebases tidy.

    • Partial fits edit forms where every field can be optional; it avoids maintaining a separate patch type by hand.
    • Pick and Omit create list or public-view types from an existing model. Less duplication means fewer schema drift bugs.
    • Record is useful for maps keyed by known strings, such as status labels or role-based UI config.
    Source: yozm.wishket.com/magazine/detail/3760Read original →
Tue, May 191 dispatches
  • #0032OtherGeekNews

    `Datatype`, a variable font that turns text into charts

    40radar
    DatatypeVariable font — turns plain strings into inline charts

    OpenType ligatures render tiny charts from plain strings like {b:30,70,50,90}. Useful for lightweight docs, emails, and dashboards where no JS rendering is a constraint.

    • Datatype uses OpenType substitution, so chart data stays as plain text instead of canvas, SVG, or image output.
    • Examples like {b:30,70,50,90} map compact syntax to inline bar charts. That makes CMS and markdown embedding simpler.
    • Best fit is small inline visualization in docs, changelogs, reports, or status pages. It is not a replacement for interactive charts.
    Source: news.hada.io/topic?id=29640Read original →
Mon, May 186 dispatches
  • #0031Otherr/MachineLearning

    Hugging Face revives `PapersWithCode` with AI-parsed leaderboards

    50radar
    PapersWithCodeAI paper tracker — links code and benchmarks

    The rebuilt site tracks trending papers, methods, citations, repos, artifacts, and benchmark results. Useful for model scouting, but still manually verified and early-stage.

    • Default ranking uses GitHub star velocity, so it surfaces research projects gaining developer attention, not just citation-heavy papers.
    • Coverage starts with high-impact items like Qwen 3.5, RF-DETR, DINOv3, MTEB, Open ASR Leaderboard, and coding-agent benchmarks.
    • Paper pages auto-link GitHub repos, project URLs, artifacts, PDFs, and external non-Arxiv papers; multiple repos per paper are supported.
    • Leaderboards exist by benchmark and domain, including MMTEB, COCO val 2017, and Terminal Bench; handy for fast model/vendor filtering.
    • Result extraction uses AI agents, but verification is still manual. Treat it as a shortlist generator, not a source of record yet.
    Source: www.reddit.com/r/MachineLearning/comments/1tgmwqr/reviviRead original →
  • #0030OtherGeekNews

    `rkdebian` turns an $80 RK3562 Android tablet into a Debian workstation

    40radar
    rkdebianDebian image build system — built for Doogee U10

    A cheap locked-down device can become a bootable Debian 12 machine. Useful for low-cost Linux experiments, but the device scope is narrow and prerelease status keeps it niche.

    • Targets the Rockchip RK3562-based Doogee U10; reuse value depends almost entirely on owning that exact hardware.
    • Builds bootable Debian 12 Bookworm images, so the value is hardware repurposing more than a general dev-tool upgrade.
    • Public prerelease build is dated May 14, 2026; treat it as an experiment box, not a dependable main workstation.
    Source: news.hada.io/topic?id=29622Read original →
  • #0029OtherGeekNews

    Stay Native Until Text Forces Your Hand

    40radar

    SwiftUI can handle Markdown chat UI until document-wide selection enters scope. Jumping to NSTextView brings TextKit 2 complexity and streaming CPU spikes, so delay it.

    • SwiftUI gives acceptable baseline performance for Markdown chat, but full-document text selection is hard to support cleanly.
    • Moving to NSTextView and TextKit 2 trades native UI simplicity for lower-level text control and more performance work.
    • Streaming input can trigger CPU spikes in the text stack. Chat apps should benchmark incremental rendering before committing.
    Source: news.hada.io/topic?id=29602Read original →
  • #0028Otherr/ClaudeAI

    5 repeatable `Claude` prompting patterns for cleaner outputs

    50radar

    Prompt quality improves most when context becomes explicit: plan first, provide examples, ban bad phrases, and constrain answers to sources. Good enough to turn into reusable product and support workflows.

    • Ask Claude to list success criteria before writing. The same request gets better structure when the model plans first.
    • Examples beat tone adjectives. Two or three real paragraphs give the model a stronger voice target than words like “friendly.”
    • Negative constraints matter: banning phrases like “unlock” or “revolutionize” cuts generic SaaS copy fast.
    • Persistent context via Projects, AGENTS.md, or CLAUDE.md saves repeated setup and raises baseline output quality.
    • Source-bound prompts reduce hallucinated citations. Paste the material and ask for answers only from that source.
    Source: www.reddit.com/r/ClaudeAI/comments/1tg52af/5_claude_pattRead original →
  • #0027OtherGeekNews

    `Erlang/OTP` `29.0` Tightens SSH Daemon Defaults

    40radar
    Erlang/OTPRuntime platform — standard libraries and tools for Erlang apps

    Authenticated SSH users no longer get shell, exec, or SFTP by default. Small but useful hardening if your backend exposes Erlang/OTP SSH services.

    • shell and exec are disabled by default, blocking arbitrary Erlang code execution unless explicitly enabled.
    • The SFTP subsystem is no longer auto-enabled at SSH daemon startup, reducing exposed surface area.
    • This matters only for apps using the built-in Erlang/OTP SSH daemon. Most web SaaS stacks can just note the safer default.
    Source: news.hada.io/topic?id=29601Read original →
  • #0026Otheryozm_it

    Better AI Planning Starts With Different Questions

    40radar

    Fast answers can create slower work when the first prompt carries bad assumptions. Use AI to test change, market frames, and premises before asking for tidy summaries.

    • The bottleneck is not answer speed; it is the time spent fixing, doubting, and re-asking weak outputs.
    • Summary-style prompts can crowd out change-oriented prompts. That mistake is especially costly in new service definition.
    • For unfamiliar markets or competitor reframing, the first question sets the direction of every later artifact.
    Source: yozm.wishket.com/magazine/detail/3737Read original →
Sun, May 172 dispatches
  • #0025OtherGeekNews

    Choose `HTML` Lists by Semantics, Not Appearance

    40radar

    List elements are interaction contracts, not styling shortcuts. Picking select, datalist, ordered, descriptive, or menu markup correctly cuts accessibility debt early.

    • Fixed choices belong in select/option; suggested free input belongs in datalist. Similar UI, different interaction model.
    • Ordered, unordered, description, menu, and control lists express different user intent. CSS should change visuals, not semantics.
    • Small markup decisions affect keyboard behavior, screen readers, and form UX. Cheap to fix during build, annoying after launch.
    Source: news.hada.io/topic?id=29588Read original →
  • #0024Otherr/LocalLLaMA

    `llama.cpp` fork enables quantized KV cache with tensor split

    50radar
    llama.cppLocal LLM inference engine — supports GGUF and CUDA backends

    Tensor parallelism becomes usable with quantized KV cache on dual GPUs. Still a fork with MoE caveats, so it is a test-only local inference tweak.

    • Benchmarked Qwen3.5 27B Q4_K_M at 30.05 tok/s with -sm tensor vs 21.22 tok/s without it for generation.
    • The command uses -ctk q8_0 -ctv q8_0, removing the old tensor-split tradeoff of falling back to non-quantized KV cache.
    • Author reports real use rising from about 25 tok/s to 40 tok/s on 3060 12GB + 4070 Super 12GB.
    • MoE models currently break with -sm tensor; dense models like Qwen 27B/9B are the safer test target.
    Source: www.reddit.com/r/LocalLLaMA/comments/1tflngz/dual_gpu_llRead original →
Sat, May 161 dispatches
  • #0023OtherGeekNews

    Leaving `Tailwind`, Rebuilding a Structured CSS System

    40radar

    The practical move is not ditching utility discipline but re-encoding only the parts that aged well. Keep preflight, palette, and type scale, then move them into CSS variables and split files for a saner long-term base.

    • The migration keeps Tailwind's useful defaults like preflight reset, color tokens, and font scale instead of starting raw; that cuts regressions while dropping class-heavy markup.
    • Semantic HTML plus vanilla CSS shifts structure back into markup and design rules back into stylesheets; easier to scan, but only if naming and file boundaries stay strict.
    • Rebuilding the system with CSS variables turns ad-hoc utilities into shared tokens; better fit for theming and incremental edits than copy-pasting utility clusters.
    Source: news.hada.io/topic?id=29553Read original →
Fri, May 154 dispatches
  • #0022OtherGitHub Changelog

    `GitHub Projects` adds built-in timestamp fields

    50radar

    Project views can now sort and filter by Created, Updated, and Closed without manual columns. Small change, but it removes admin work and makes backlog aging and closure tracking much easier.

    • Three built-in fields are now available: Created, Updated, Closed. No custom date-property setup needed.
    • These fields can be added to any project view, so stale items and recently touched work become easier to spot.
    • Closed is useful for measuring cycle endings and reviewing what actually shipped in a given window.
    Source: github.blog/changelog/2026-05-15-timestamp-fields-in-gitRead original →
  • #0021OtherSimon Willison

    `datasette-llm-limits` `0.1a0` adds per-user LLM spend caps

    40radar
    DatasetteOpen-source data publishing tool — strong plugin extensibility

    LLM usage inside Datasette can now be hard-capped by user or globally with rolling windows and USD limits. Useful if you expose prompts to users; otherwise the impact is narrow but the cost-control pattern is worth copying.

    • Works with datasette-llm and datasette-llm-accountant, so enforcement sits on top of existing usage tracking.
    • Config supports per-user or global limits, with windows like rolling-24h and explicit amount_usd caps.
    • Example policy sets $1.00 per actor over 24 hours, which is a clean template for metered AI features.
    • Best fit is multi-user internal tools or lightweight SaaS surfaces where prompt access needs a hard budget guardrail.
    Source: simonwillison.net/2026/May/15/datasette-llm-limits/#atomRead original →
  • #0020Otherr/LocalLLaMA

    Self-Training With Verifiable Rewards Pushes `Qwen 2.5` 7B to **112/164** on HumanEval

    50radar

    A self-generated code-and-tests loop produced a large jump without human-written training pairs. Cheap enough to replicate, but still a one-off experiment rather than a product-ready recipe.

    • The loop is simple: generate problems, sample multiple solutions, keep (failed attempt, fixed attempt) pairs, and let a Python interpreter score them.
    • After fixing a grading bug, Qwen 2.5 7B moved from 25 to 112/164 on HumanEval; that is a big enough jump to treat as a real benchmark signal.
    • A Qwen 2.5 14B run used 100 mined pairs, took 95 minutes on an H100, and cost $3.50; the barrier here is much lower than typical RL folklore.
    • Control training on fake pairs gave 25/164, identical to base, which suggests the lift came from correction data rather than format imitation.
    Source: www.reddit.com/r/LocalLLaMA/comments/1tde3m1/i_let_a_smaRead original →
  • #0019OtherGeekNews

    `scrcpy` `4.0` adds flexible virtual display resizing

    50radar
    scrcpyAndroid mirroring tool — low-latency control over USB or Wi-Fi

    Virtual displays can now resize to match the client window with --flex-display. The SDL3 migration should reduce resize-related friction, so it's a solid quality-of-life update for Android testing setups.

    • --flex-display or -x lets the virtual display track the client window size dynamically, which cuts friction when testing multiple Android layouts.
    • The move from SDL2 to SDL3 shifts the app onto an actively maintained graphics layer, improving upstream support and bug-fix velocity.
    • Window resizing gets safer operationally because display and client size stay aligned instead of drifting during interactive mirroring.
    • This is not a workflow reset, but teams using scrcpy daily for QA, demos, or device debugging will feel the upgrade immediately.
    Source: news.hada.io/topic?id=29505Read original →
Thu, May 142 dispatches
  • #0018OtherGeekNews

    `Quack`: Client-Server Protocol for `DuckDB`

    50radar
    QuackProtocol — adds multi-process shared writes to DuckDB

    It adds remote state sync so multiple processes can write to the same DuckDB file without abandoning the in-process model. That opens a practical middle ground between embedded analytics and a full database server, worth tracking early.

    • Remote protocol handles state synchronization needed when multiple processes modify one database file, not a separate heavyweight server core.
    • The design keeps DuckDB's in-process architecture while enabling client-server style access and concurrent writers in the same database.
    • This lowers the jump from local analytics to multi-process apps; teams using DuckDB may get shared-write workflows without moving to Postgres immediately.
    Source: news.hada.io/topic?id=29477Read original →
  • #0017OtherGitHub Trending Weekly

    `easy-vibe`: beginner course for shipping AI apps with SaaS and payments

    50radar
    easy-vibeCourse — from AI app building to SaaS and payments

    Starts from plain-language prompting, then walks into full-stack shipping with Stripe, SaaS UI, and RAG visuals. Useful as a fast onboarding map; advanced builders will mostly mine it for teaching flow and idea-validation sections.

    • The curriculum goes beyond prompting into a SaaS capstone, payment integration, multi-product UI, and WeChat Mini Program backend flows.
    • Visual tutorials, simulated IDE guidance, and clickable RAG/terminal demos lower early friction better than text-only docs.
    • A new appendix adds idea sourcing, JTBD, Double Diamond, and The Mom Test, so it covers validation as well as building.
    • Best fit is onboarding non-engineers or juniors into AI product building; experienced builders will not get much technical depth.
    Source: github.com/datawhalechina/easy-vibeRead original →
Wed, May 135 dispatches
  • #0016Otherrefactoring_fm

    Pure AI vs Deterministic Software in Workflow Orchestration

    40radar

    Useful framing for deciding where LLM calls belong in a workflow. Keep judgment-heavy steps probabilistic, but make routing, validation, and state deterministic.

    • Pure AI flows trade control for flexibility. Good for fuzzy judgment, weak for repeatable production behavior.
    • Deterministic software handles routing, retries, validation, and persistence better. That is where reliability compounds.
    • A practical LLM workflow should separate model judgment from execution rules. This reduces cost, drift, and debugging pain.
    Source: refactoring.fm/p/how-to-orchestrate-ai-workflowsRead original →
  • #0015OtherSimon Willison

    `CSP Allow-list Experiment`: Interactive `fetch()` Recovery Inside Sandboxed `iframe`s

    40radar

    A sandboxed iframe can catch blocked fetch() attempts, ask the parent to whitelist the origin, then reload with updated connect-src. Useful pattern for shipping safer user-script sandboxes without hardcoding every API upfront.

    • Runs apps under default-src 'none' in a sandboxed iframe, then escalates blocked network origins to the parent for approval.
    • Blocked fetch() calls surface the exact failed origin, so users can add only that domain to connect-src instead of loosening CSP broadly.
    • The flow includes prompt, allow-list update, and refresh, turning CSP failures into a usable permission UX rather than a dead end.
    • Good fit for code playgrounds, HTML preview tools, and user-generated app builders where external API access is needed but must stay constrained.
    Source: simonwillison.net/2026/May/13/csp-allow/#atom-everythingRead original →
  • #0014OtherGeekNews

    `goshs`, a multi-protocol single-binary file server for developers

    50radar
    goshsFile server tool — multi-protocol sharing in one binary

    Goes well beyond python3 -m http.server: one binary can serve files over HTTP/S, WebDAV, SFTP, SMB, and LDAP/S with auth included. Useful when you need secure ad-hoc sharing or device-to-device transfer without dragging in Apache-style setup.

    • Replaces the usual throwaway local server with a single binary that handles multiple protocols from one command.
    • Supports HTTPS and authentication out of the box, so quick file sharing does not require a reverse proxy or extra server config.
    • WebDAV, SFTP, and SMB in one tool makes it practical for mixed workflows across macOS, iOS, Linux, and network drives.
    • Best fit is ops-lite utility work: demos, internal asset delivery, test-device transfer, and temporary private sharing.
    Source: news.hada.io/topic?id=29445Read original →
  • #0013OtherOpenAI

    OpenAI details fallout from TanStack npm supply-chain attack

    40radar
    TanStackFrontend toolkit — suite behind Query, Table, and more

    A compromised dependency chain reached OpenAI apps, forcing macOS users to update by June 12, 2026. The practical takeaway is simple: audit signing paths and third-party packages now, not after the alert lands.

    • The incident is tied to the TanStack Mini Shai-Hulud attack, so this was not an isolated app bug but a broader npm supply-chain breach.
    • OpenAI says it secured internal systems and signing certificates; that puts code-signing infrastructure, not just package locks, on the threat model.
    • macOS users must update OpenAI apps by 2026-06-12. If a dev tool touches local files or credentials, delayed updates are a real risk.
    • The useful lesson is operational: dependency monitoring, certificate hygiene, and forced-update paths need to exist before the next package compromise.
    Source: openai.com/index/our-response-to-the-tanstack-npm-supplyRead original →
  • #0012OtherSimon Willison

    `datasette` `1.0a29` fixes a nasty test race and smooths zero-row/mobile UX

    40radar
    DatasetteData tool — web app for exploring and publishing SQLite

    A thread-safety bug that could segfault tests is now fixed, alongside small but practical UI cleanup for empty tables and Mobile Safari. Useful if you embed datasette in admin tools or data products, but not a broad market-moving release.

    • Datasette.close() had a race with in-flight threaded queries and could trigger a segfault in tests; that class of bug is expensive to debug once it hits CI.
    • Empty tables now still show headers and column options, so schema-first browsing works even with 0 rows.
    • Mobile Safari column action dialog rendering was fixed, removing one of the more annoying iPhone/iPad admin UI papercuts.
    • A new TokenRestrictions.abbreviated(datasette) helper generates "_r" dictionaries, which matters mainly for plugin and internal API users.
    Source: simonwillison.net/2026/May/12/datasette/#atom-everythingRead original →
Tue, May 123 dispatches
  • #0011OtherGeekNews

    `Mini Shai-Hulud` returns: self-propagating npm supply-chain attack hits CI/CD

    80radar

    This worm hijacks CI/CD flows, steals secrets, and spreads through legitimate npm packages. If your pipeline publishes packages or injects tokens broadly, tighten secret scope and rotate exposed credentials now.

    • StepSecurity first detected it in an official @tanstack package, which means trusted package names are no longer a safe shortcut.
    • The blast radius is bigger than a single repo: CI tokens, registry credentials, and publish pipelines can become propagation paths.
    • Teams using long-lived secrets in GitHub Actions or package release jobs should assume lateral movement, not isolated package compromise.
    • The practical response is boring but urgent: rotate tokens, narrow CI permissions, pin releases carefully, and review package publish automation.
    Source: news.hada.io/topic?id=29427Read original →
  • #0010OtherGeekNews

    Postmortem: `TanStack` npm Supply-Chain Breach

    60radar
    TanStackOSS package suite — frontend state and data tools

    A six-minute CI-to-publish compromise turned pull_request_target, cache poisoning, and stolen OIDC credentials into malicious npm releases. If your stack pulls @tanstack/*, treat GitHub Actions hardening and dependency pinning as urgent hygiene, not optional.

    • The blast radius was 42 @tanstack/ packages and 84 malicious versions published within 6 minutes; short windows still break CI fast.
    • The chain combined pull_request_target, GitHub Actions cache poisoning, and OIDC token extraction from runner memory; one weak workflow can reach package publishing.
    • Stolen npm publish access means trusted frontend dependencies become an attack path; lockfiles alone do not save you after a poisoned release.
    • This pushes routine defenses up the priority list: tighter GitHub Actions permissions, cache isolation, and faster dependency incident response.
    Source: news.hada.io/topic?id=29413Read original →
  • #0009OtherGitHub Trending Weekly

    `TabPFN`: fast foundation model for tabular prediction

    40radar
    TabPFNModel — tabular ML without preprocessing

    A strong shortcut for classification and regression on structured data without feature scaling or one-hot encoding. GPU-first and best under 100k rows / 2k features, so it is worth testing for scoring or forecasting before building a heavier pipeline.

    • pip install tabpfn gets you classifier and regressor defaults, with checkpoint download on first fit; setup is light for experiments.
    • Skip scaling and one-hot encoding entirely. That cuts prep work and makes it attractive for messy product or business datasets.
    • Inference is GPU-oriented: ~8GB VRAM works, 16GB helps on larger sets; CPU is only practical around <=1000 samples.
    • Prediction should be batched. Repeated single-row predict calls recompute the training set and can become almost 100x slower.
    • The project also points to TabPFN Client for hosted inference and extensions for SHAP, feature selection, outlier detection, and synthetic data use cases.
    Source: github.com/PriorLabs/TabPFNRead original →
Mon, May 115 dispatches
  • #0008OtherGitHub Changelog

    `GitHub Mobile` adds on-the-go repository creation

    40radar
    GitHub MobileMobile app — create new repositories on iPhone

    This shortens the gap between an idea and a fresh repo. On iOS, creation starts from Home or Profile via +, so quick experiment repos and name-claim drafts become much easier.

    • Creation now happens directly inside GitHub Mobile, removing the desktop detour for starting a new codebase.
    • iOS flow is explicit: Home or Profile -> + -> Create repository. Low friction matters when you want to capture an idea fast.
    • Best fit is lightweight starts: scratch repos, landing-page stubs, or placeholder names before the context disappears.
    Source: github.blog/changelog/2026-05-11-create-repositories-on-Read original →
  • #0007OtherGeekNews

    Replacing a `3GB` `SQLite` dictionary with a `10MB` `FST` binary

    50radar
    FSTStatic search format — compresses huge indexes into tiny binaries

    When autocomplete data explodes into tens of millions of forms, static FST indexing beats SQLite FTS on distribution cost. For read-heavy search, this is a strong pattern for mobile and edge delivery.

    • A Finnish-English dictionary grew to 40M-60M entries after inflection expansion, pushing trie-based search past practical limits.
    • A temporary SQLite FTS approach was fast enough at query time, but shipping an initial 3GB download broke usability.
    • A compiled FST binary cut the payload to about 10MB, turning a search structure into something app-bundle-sized.
    • This pattern fits datasets that are mostly static and prefix-search-heavy, where update flexibility matters less than footprint.
    Source: news.hada.io/topic?id=29379Read original →
  • #0006OtherGeekNews

    `CVE-2024-YIKES`: dependency hijack leaked cross-ecosystem registry creds

    60radar
    vulpine-lz4Package — install-time code stole CI secrets

    A JavaScript package hijack spilled into Rust and Python supply chains by stealing registry credentials like .npmrc, .pypirc, and Cargo tokens. If CI can read publish secrets during builds, one compromised package can jump ecosystems fast; tighten token scope and isolate release jobs now.

    • The blast radius was not just npm; stolen creds also covered .pypirc, Cargo, and RubyGems, so one weak link can poison multiple release pipelines.
    • A malicious build.rs in vulpine-lz4 reportedly executed on CI hosts, which turns dependency install time into a credential exfiltration path.
    • left-justify-style phishing shows package names and maintainer trust are still enough to trigger supply-chain compromise without an infra breach.
    • Build jobs that both install third-party code and hold publish tokens are the obvious failure mode. Split test and release environments before this pattern repeats.
    Source: news.hada.io/topic?id=29374Read original →
  • #0005OtherGeekNews

    `Bifrost`: ultra-fast enterprise AI gateway

    50radar
    BifrostAI gateway — OpenAI-compatible ultra-low-latency proxy

    One OpenAI-compatible API can sit in front of multiple model vendors with sub-100µs proxy overhead. Worth checking if multi-provider routing matters more than keeping the stack minimal.

    • It fronts OpenAI, Anthropic, AWS Bedrock, and Google Vertex through one API, covering 15+ providers and simplifying app integration.
    • The pitch is 50x faster than LiteLLM, with under 100µs overhead at 5k RPS; that matters only if proxy latency is already a bottleneck.
    • Adaptive load balancing, cluster mode, guardrails, and support for 1,000+ models push routing and policy into one layer, at the cost of another ops surface.
    Source: news.hada.io/topic?id=29373Read original →
  • #0004OtherGitHub Trending Weekly

    `PageIndex`: vectorless RAG with tree-based reasoning

    50radar
    PageIndexRAG tool — searches via document trees, no vector DB

    Replaces embeddings and chunking with a document tree plus LLM-guided search. Interesting if vector recall keeps missing long-doc answers, but cost/latency need real-world validation.

    • Retrieval is split into two steps: build a table-of-contents-style tree, then run reasoning-based tree search over it.
    • The pitch is no vector DB and no chunking, with page/section references that make retrieval paths easier to inspect.
    • It claims 98.7% on FinanceBench, so the strongest fit is document-heavy domains where relevance beats semantic similarity.
    • Recent additions push it beyond a single file: file-system tree indexing, a chat product, and MCP/API access for agent workflows.
    Source: github.com/VectifyAI/PageIndexRead original →
Sun, May 101 dispatches
  • #0003OtherGeekNews

    `NixOS` Secrets: Plaintext in `Nix store` Is Readable

    40radar
    NixOSLinux distro — declarative, reproducible system config

    Putting secrets in Nix config, private Git, or git-crypt plaintext still leaks them through Nix store. sops-nix is the practical baseline if you deploy with NixOS; otherwise your server access model is already broken.

    • Secrets embedded in Nix config can end up in Nix store, which is world-readable on the machine; repo privacy does not help after deploy.
    • Keeping values in a private repo or decrypting with git-crypt before build still leaves plaintext artifacts in the store, so the leak point moves to runtime.
    • sops-nix uses .sops.yaml rules and encrypted-file editing flow, giving a cleaner path than ad hoc secret injection for NixOS setups.
    Source: news.hada.io/topic?id=29328Read original →
Fri, May 82 dispatches
  • #0002OtherGitHub Changelog

    `GitHub` adds user-level default for commit comments

    40radar

    You can now set commit comments on or off once for repos under your personal account. It trims one more per-repo setting and matters mostly if you use commits as a feedback surface; useful, but not urgent.

    • The new control applies at the personal-account level for repositories you own, not one repo at a time.
    • This is a default-behavior setting for commit comments, so new repo setup and preference management get lighter.
    • Teams building in public may leave it on for line-level feedback on commits; solo repos can shut it off to cut noise.
    • Impact is operational rather than strategic: no pricing, workflow, or platform-policy change attached.
    Source: github.blog/changelog/2026-05-08-disable-commit-commentsRead original →
  • #0001OtherGitHub Changelog

    `CodeQL` `2.25.3` adds `Swift` `6.3` support

    40radar
    CodeQLCode analysis engine — powers GitHub code scanning

    GitHub code scanning can now parse newer Swift projects without lagging toolchains. Useful if your iOS repo depends on CodeQL; otherwise the impact is limited.

    • CodeQL powers GitHub code scanning, so Swift 6.3 support lands directly in existing security analysis workflows.
    • This is a compatibility update, not a new analysis capability; teams already using CodeQL get smoother upgrades.
    • Worth noting for iOS CI pipelines pinned to latest Swift; if you do not run CodeQL, there is little immediate payoff.
    Source: github.blog/changelog/2026-05-08-codeql-2-25-3-adds-swifRead original →