Flux
Couleur d'accent
Toutes les catégories

Programmation

2090 articles

Quoting Charity Majors
IA Programmation

Quoting Charity Majors

What happened in 2025 was this: the economics of code production were turned upside down. Instead of being very hard, time-consuming, and expensive to generate code, it became effectively free and instant. Lines of code went from being treasured, reused, cared for and carefully curated, to being disposable and regenerable, practically overnight. — Charity Majors, AI demands more engineering discipline. Not less Tags: charity-majors, ai-assisted-programming, generative-ai, ai, llms

Simon Willison's Weblog
Why skipping Eloquent doesn’t mean skipping SQL injection protection
Programmation Web

Why skipping Eloquent doesn’t mean skipping SQL injection protection

Video version at: https://youtu.be/gAVfQhPw8Do A few weeks ago, I posted something on LinkedIn that ruffled some feathers. Here’s what I said: “Defaulting to the ORM for everything isn’t a best practice. It’s just the path of least resistance.” The replies came in fast, and a good chunk of them said the same thing: “That’s unsafe! […] The post Why skipping Eloquent doesn’t mean skipping SQL injection protection appeared first on PHP Architect.

PHP Architect
140+ Mastra npm Packages Compromised in Coordinated Supply Chain Attack
Cybersécurité Programmation

140+ Mastra npm Packages Compromised in Coordinated Supply Chain Attack

Socket has detected a malicious npm supply chain campaign involving compromised @mastra/* packages published under the Mastra namespace. A single npm account (ehindero) mass-published more than 140 malicious packages across the Mastra scope within a short window on 2026-06-17. The compromised package versions themselves contain unmodified code; the attack is delivered through an injected dependency, a typosquatted package named easy-day-js added to each package's dependency list. easy-day-js…

Socket
<click-to-play> — a still that plays
IA Programmation

<click-to-play> — a still that plays

Tool: &lt;click-to-play&gt; — a still that plays A progressive enchantment Web Component that turns this markup: &lt;click-to-play&gt; &lt;a href="URL to GIF"&gt; &lt;img src="URL to first frame" alt="..."&gt; &lt;/a&gt; &lt;/click-to-play&gt; Into a still frame with a click to play button which loads the GIF on demand. For when you don't want big GIFs to be loaded unless people want to play them. Here's an example that demonstrates the new row editing tools in Datasette - in fact I built this…

Simon Willison's Weblog
NetNewsWire Status
IA Programmation

NetNewsWire Status

NetNewsWire Status I find this inspiring. Brent Simmons retired a year ago, and his retirement project is making one piece of software really, really good - free from any commercial pressure. The software is NetNewsWire - "it's like podcasts, but for reading" - first released in 2002 and made open source in 2018. I've been using it on Mac and iPhone for several years now and I'm finding it indispensable. Via Lobste.rs Tags: brent-simmons, netnewswire, open-source

Simon Willison's Weblog
npm Package Uses Prompt Injection and Token Flooding to Disrupt AI Malware Scanners
Cybersécurité Programmation

npm Package Uses Prompt Injection and Token Flooding to Disrupt AI Malware Scanners

Last week, Socket Threat Research reported that newer Mini Shai-Hulud, Miasma, and Hades packages were embedding fake prompt-injection headers before obfuscated JavaScript payloads. Those comments did not affect runtime execution, but they appeared designed to interfere with AI-assisted malware review. Now we are seeing that same idea tested more directly in a package that appears designed to probe how AI-based scanners handle prompt injection, safety-triggering content, and context flooding.…

Socket
datasette 1.0a34
IA Programmation

datasette 1.0a34

Release: datasette 1.0a34 Quoting the release notes: The big feature in this alpha is tools to insert, edit and delete rows within the Datasette interface. These features are available on table pages, and edit and delete are also available as action items on the row page. The inspiration for this feature - which is long overdue - was Datasette Agent. I added SQL write support to that the other day which highlighted how absurd it was that you could insert and edit ties via the chat interface but…

Simon Willison's Weblog
datasette-tailscale 0.1a0
IA Programmation

datasette-tailscale 0.1a0

Release: datasette-tailscale 0.1a0 A very experimental alpha plugin which lets you do this: datasette tailscale mydata.db \ --ts-authkey tskey-auth-xxxx --ts-hostname datasette-preview This starts a localhost Datasette server with a Tailscale sidecar that connects it to your Tailnet, such that http://datasette-preview/ serves Datasette. It's using the Python bindings for the experimental tailscale-rs library. I filed an issue asking if there's a cleaner way of setting up the proxy mechanism.…

Simon Willison's Weblog
Quoting Georgi Gerganov
IA Programmation

Quoting Georgi Gerganov

I can 100% attest to the fact that Qwen3.6-27B is a very capable local model for coding tasks. Over the last month and a half I've been using it almost daily, either on my M2 Ultra or on my RTX 5090 box. I use it for small mundane tasks at ggml-org - nothing really impressive, but definitely a helpful tool for a maintainer. I think I would be using it much more, if I didn't have to spend a lot of my time on reviewing PRs. Currently, I have a very lightweight harness - the pi agent with…

Simon Willison's Weblog
Introducing Manifest Alerts
Cybersécurité Programmation

Introducing Manifest Alerts

Socket now detects missing lockfiles with Manifest Alerts, a new kind of alert for supply chain risks found in project manifests. The feature was built in response to a real problem customers faced during the Axios npm compromise. Due to the complexities of modern dependency resolution, the blast radius of this incident was much wider than it initially appeared. Exposure was not limited to projects that directly depended on the compromised Axios version. For teams with committed lockfiles and…

Socket
Esc