top10.dev

𝗧𝗵𝗲 "𝗱𝗼𝘁 𝘀𝘆𝘀𝘁𝗲𝗺" 𝗵𝗶𝘁 𝟮𝟭𝟴 𝗽𝗼𝗶𝗻𝘁𝘀 𝗼𝗻 #hackernews — 𝗮𝗻𝗱 𝘁𝗵𝗲 𝗰𝗼𝗿𝗲 𝗶𝗻𝘀𝗶𝗴𝗵𝘁 𝗺𝗮𝗽𝘀 𝗽𝗲𝗿𝗳𝗲𝗰𝘁𝗹𝘆 𝘁𝗼 𝗴𝗮𝗿𝗯𝗮𝗴𝗲 𝗰𝗼𝗹𝗹𝗲𝗰𝘁𝗶𝗼𝗻. Most task apps use tracing GC: periodic reviews to find dead tasks. The dot system uses reference counting: rewrite each task daily or it gets collected. When carrying tasks forward costs nothing, your list grows without bound. The friction of rewriting IS the feature. The same principle behind @golang's explicit error handling and manual memory management: strategic friction forces engagement with decisions that matter. #productivity top10.dev/story/dot-syst…

Claude Code source repos trending on GitHub, @AnthropicAI confirms unauthorized. Once proprietary source escapes, mirrors spread it faster than any takedown. Watershed moment for closed-source dev tool security. → github.com/instructkr/cla…

Copilot got demolished today—Microsoft said it's for entertainment, GitHub killed the ads, users revolted. Axios shipped a RAT to millions. CERN ran neural nets in 75 nanoseconds. Hype is collapsing, hardware is winning. → top10.dev

@ClaudeCode v2.1.88 source got leaked — hardcoded credentials, full dependency chain, all public. If you shipped anything with that release, rotate every token now. #claudecode #infosec → github.com/sanbuphy/claud…

@OpenAI just dropped the last structural remnant of its nonprofit origins. The conversion to a for-profit PBC unlocks $𝟰𝟬𝗕 from @SoftBank and clears the Stargate buildout — but it also means every API call now has to justify a $𝟯𝟬𝟬𝗕+ valuation. For devs building on the API: this is the platform-risk inflection point. Expect enterprise tier-gating, committed-spend pricing, and rate limit stratification. Multi-provider abstractions aren't optional anymore. #LLM #AI

@liquidai's LFM2.5-350M: 350M params, 28T tokens, scaled RL — and it benchmarks against models 10x its size. The "bigger = better" era of on-device inference is officially on notice. #ai #llm

@GitHub's uptime record just got its first independent audit — years of status page data, stitched into one browsable timeline. The headline number looks fine. The details tell a different story: Actions, Packages, and Codespaces each carry their own reliability curve, and most teams are multiplying those risks without calculating the compound effect. If your CI, deploys, and code review all route through GitHub, their uptime IS your uptime ceiling. The data → top10.dev/story/github-h… #DevOps #GitHub

@LiteLLM compromised—@Mercor fell because they trusted it. Rotate API keys immediately if you're using it, check logs for unauthorized calls. Supply chain attacks work because libraries touch credentials; this one did exactly that. #supplychainsecurity #llm

@AnthropicAI accidentally leaked Claude Code's internal source code. Not model weights — product internals. The code itself isn't dangerous, but every competitor just got a free architecture review.

The @ClaudeCode source map leak spawned 3 repos in 48 hours — raw source (3,153 ⭐), an architecture deep-dive (900 ⭐), and a *runnable fork* (822 ⭐). We already covered the discovery. The real story now: what the community actually BUILT from it. The extracted architecture reveals patterns most AI tools skip — a 3-tier provider fallback chain, circuit breakers with half-open recovery, and a self-healing loop running 9 autonomous checks every hour. The runnable fork is the real inflection point. Developers can now instrument, benchmark, and modify a production AI coding assistant's internals. → Full breakdown of the patterns worth stealing for your own AI integrations: #ClaudeCode #OpenSource top10.dev/story/claude-c…

@GitHubCopilot's 𝗧𝗼𝗦 𝘀𝗮𝘆𝘀 𝘁𝗵𝗲 𝗾𝘂𝗶𝗲𝘁 𝗽𝗮𝗿𝘁 𝗹𝗼𝘂𝗱: 𝗶𝘁'𝘀 "𝗳𝗼𝗿 𝗲𝗻𝘁𝗲𝗿𝘁𝗮𝗶𝗻𝗺𝗲𝗻𝘁 𝗽𝘂𝗿𝗽𝗼𝘀𝗲𝘀 𝗼𝗻𝗹𝘆." Not for professional advice. Not for coding guidance. Entertainment. The same tool @Microsoft spends billions marketing as your AI productivity partner has legally classified itself as a toy. The gap between marketing and legal isn't a crack — it's a canyon. And every dev using Copilot on a personal account is standing on the wrong side. → #AI #DevTools top10.dev/story/microsof…

The @axios @npm compromise is the third major supply chain attack in two years — same pattern each time. But the real story isn't the RAT payload. It's that `fetch()` ships natively in @nodejs 18+ now. For most projects, the best @axios security posture is no @axios at all. Full breakdown of what actually stops the next one → provenance, registry proxies, and why lockfiles alone aren't enough: #SupplyChainSecurity #NodeJS top10.dev/story/axios-np…

Anthropic now has a choice: treat this as a security breach or own transparency as a strength. The code reveals discipline, not secrets. Publishing it officially would build trust without hurting anything → top10.dev/item/null

This changes debugging. When Claude Code fails, you're no longer guessing blindly. You see which provider failed, why it fell back, when retries gave up. Errors shift from mystery to understanding.

Claude Code was the ultimate black box. You typed commands, it synthesized code, it worked. But how? Why did it fail sometimes? What's happening under the hood? Nobody knew. Anthropic sealed the internals shut.

We optimized npm for speed over everything. No friction, no gates, no security checks. Supply chain attacks aren't a bug in this system—they're the obvious outcome. We chose velocity. Here's the bill. → top10.dev/item/null

Devs are now auditing lockfiles. Running forensic scans. Realizing npm audit fails here. The contract changed overnight: npm install is no longer enough. You need supply chain scanning to ship safely.

𝟱𝟬𝗠 Axios downloads per week. You npm install without thinking. The entire JavaScript ecosystem runs on this assumption: the registry is safe. That assumption just got very expensive.