InfoQ Homepage News
-
Swift 6.3 Stabilizes Android SDK, Extends C Interop, and More
Swift 6.3 advances Swift cross-platform story with official Android support, improves significantly C interoperability through the new @c attribute, and continues extending embedded programming support. It also strengthens the ecosystem with a unified build system direction and gives developers more low-level performance control.
-
Open Source Security Tool Trivy Hit by Supply Chain Attack, Prompting Urgent Industry Response
A major security incident affecting the widely used open source vulnerability scanner Trivy has exposed critical weaknesses in software supply chain security, after maintainers confirmed that a malicious release was briefly distributed to users.
-
Module Federation 2.0 Reaches Stable Release with Wider Support Outside of Webpack
Module Federation 2.0, an open-source micro-frontend mechanism introduced with webpack 5, offers significant updates including dynamic TypeScript type hints, decoupled runtime layers, and Node.js support. It enhances compatibility across various bundlers and frameworks. Key features include a Side Effect Scanner and easier integration for remote modules, addressing previous adoption challenges.
-
Github Integrates AI to Improve Accessibility Issue Management and Automate Feedback Triage
GitHub has launched a continuous AI-powered workflow to manage accessibility feedback at scale. Using GitHub Actions, Copilot, and Models APIs, the system centralizes reports, analyzes WCAG compliance, and automates triage while maintaining human validation. Teams now resolve feedback faster, improving inclusion and cross-functional collaboration.
-
Axios npm Package Compromised in Supply Chain Attack
On March 31, 2026, two versions of the Axios library were compromised and found to contain a Remote Access Trojan. The malicious packages were published through a hijacked maintainer account. The Axios team is investigating how the breach occurred and has deprecated the affected versions. Security experts emphasize the need for better dependency management.
-
Helidon 4.4.0 Introduces Alignment with OpenJDK Cadence and Support via Java Verified Portfolio
Oracle has released version 4.4.0 of Helidon, their microservices framework, featuring alignment with the OpenJDK release cadence, support via the new Java Verified Portfolio, new core capabilities, and agentic AI support for LangChain4j.
-
How to Handle Trusts and Psychological Safety When Scaling Organizations
As organizations scale, communication overload, loss of shared context, and trust gaps emerge, Charlotte de Jong Schouwenburg mentioned. Trust must be built team by team; it can’t be replicated. Trust is interpersonal, while psychological safety is among people and fuels learning. Leaders must deliberately design structures, rituals, and metrics that reward transparency and cohesion at scale.
-
GitHub Will Use Copilot Interaction Data from Free, Pro, and Pro+ Users to Train AI Models
GitHub will use Copilot interaction data from Free, Pro, and Pro+ users to train AI models starting April 24, opting in by default. Collected data includes code snippets, inputs, outputs, and navigation patterns from active sessions, including private repos. Business and Enterprise tiers are excluded. Community concerns include dark patterns, IP exposure, and GDPR compliance.
-
ESLint v10: Flat Config Completion and JSX Tracking
ESLint version 10 has removed the legacy eslintrc configuration system, finalizing a long transition to flat config. The update enhances developer experience, especially for plugin authors and monorepo teams, by changing configuration file location and improving JSX reference tracking. Node.js support has been tightened, and new assertion options have been added to the RuleTester API.
-
Pinterest Deploys Production-Scale Model Context Protocol Ecosystem for AI Agent Workflows
Pinterest engineering teams have deployed a production-ready Model Context Protocol (MCP) ecosystem that allows AI agents to automate complex engineering tasks and integrate diverse internal tools. Domain-specific MCP servers, a central registry, and human-in-the-loop approval improve security, governance, and developer productivity while saving thousands of hours per month.
-
Cloudflare Launches Dynamic Workers Open Beta: Isolate-Based Sandboxing for AI Agent Code Execution
Cloudflare has released Dynamic Worker Loader into open beta, offering V8 isolate-based sandboxing for AI-generated code execution. The company claims isolates start in milliseconds, using megabytes of memory, making them roughly 100x faster and up to 100x more memory-efficient than containers. The feature builds on Cloudflare's Code Mode approach.
-
PyPI Supply Chain Attack Compromises LiteLLM, Enabling the Exfiltration of Sensitive Information
Discovered by FutureSearch researcher Callum McMahon, a supply chain attack against LiteLLM on PyPI resulted in over 40 thousand downloads of a compromised version that installed a malicious payload capable of harvesting and exfiltrating sensitive information. LiteLLM is downloaded roughly 3 million times per day.
-
Agentic AI Patterns Reinforce Engineering Discipline
Paul Duvall recently discussed his library of engineering patterns for AI assisted development and practices that ground high quality delivery. Related discussions from Paul Stack and Gergely Orosz highlight a shift toward remixing and specification driven development.
-
Kubernetes Autoscaling Demands New Observability Focus beyond Vendor Tooling
As adoption of Kubernetes autoscalers like Karpenter accelerates, a new set of platform-agnostic observability practices is emerging, shifting focus from traditional infrastructure metrics to deeper insights into provisioning behavior, scheduling latency, and cost efficiency.
-
TanStack Start Introduces Import Protection to Enforce Server and Client Boundaries
TanStack Start has introduced a import protection, which aims to prevent server and client code from being mixed in full-stack React applications. This Vite plugin automatically checks imports during development and build processes. It blocks harmful imports by file naming conventions or explicit markers, enhancing security and reducing bugs without requiring additional developer input.