2026-04-09

Blogs, AI, Tech
Python, Github, Datasette, Asgi, Cors

Simon Willison — 2026-04-09#

Highlight#

Today’s most substantive update is the release of asgi-gzip 0.3, which serves as a great practical reminder of the hidden risks in automated maintenance workflows. A silently failing GitHub Action caused his library to miss a crucial upstream Starlette fix for Server-Sent Events (SSE) compression, which ended up breaking a new Datasette feature in production.

Posts#

[asgi-gzip 0.3] · Source Simon released an update to asgi-gzip after a production deployment of a new Server-Sent Events (SSE) feature for Datasette ran into trouble. The root cause was datasette-gzip incorrectly compressing event/text-stream responses. The library relies on a scheduled GitHub Actions workflow to port updates from Starlette, but the action had stopped running and missed Starlette’s upstream fix for this exact issue. By running the workflow and integrating the fix, both datasette-gzip and asgi-gzip now handle SSE responses correctly.

2026-04-06

Blogs, AI, Tech
Local Llms, Datasette, Cli Tools, Ios

Simon Willison — 2026-04-06#

Highlight#

The most substantial update today is Simon’s look at the Google AI Edge Gallery, an official iOS app for running local Gemma 4 models directly on-device. It stands out as a major milestone for local AI, being the first time a local model vendor has shipped an official iPhone app with built-in tool-calling capabilities.

Posts#

Google AI Edge Gallery Simon highlights Google’s strangely-named but highly effective official iOS app for running Gemma 4 (and 3) models natively. The 2.54GB E2B model runs fast and includes features like vision, up to 30 seconds of audio transcription, and an impressive “skills” demo showcasing tool calling against eight different HTML widgets. Despite a minor app freeze bug and the unfortunate lack of permanent chat logs, Simon considers it a significant release as the first official iOS app from a local model vendor.

Simon Willison

Blogs, AI, Tech
Cybersecurity, Ai, Datasette, Open Source

Simon Willison — 2026-04-14#

Highlight#

Simon highlights a fascinating paradigm shift in AI security: treating vulnerability discovery as an economic “proof of work” equation where spending more tokens yields better hardening. This creates a compelling new argument for the enduring value of open-source libraries in the age of vibe-coding, as the massive cost of AI security reviews can be shared across all of a project’s users.

Posts#

[datasette PR #2689: Replace token-based CSRF with Sec-Fetch-Site header protection] · Source Simon has replaced Datasette’s cumbersome token-based CSRF protection with a new middleware relying on the Sec-Fetch-Site header, inspired by Filippo Valsorda’s research and recent changes in Go 1.25. This modern approach eliminates the need to scatter hidden CSRF token inputs throughout templates or selectively disable protection for external APIs. Interestingly, while Claude Code handled the bulk of the commits under Simon’s guidance with cross-review by GPT-5.4, Simon chose to hand-write the PR description himself as an exercise in conciseness and keeping himself honest.

Simon Willison

Blogs, AI, Tech
Github, Github-Actions, Commits, Platform Activity, Ai-Assisted-Programming, Sqlite, Security, Agentic-Engineering, Llms, Local Llms, Datasette, Cli Tools, Ios, Anthropic, Svg, Docker, Code-Interpreter, Meta, Python, Asgi, Cors, Chatgpt, Openai, Kakapo

Simon Willison — Week of 2026-04-04 to 2026-04-10#

Highlight of the Week#

Anthropic’s decision to delay the general release of their highly capable Claude Mythos model under “Project Glasswing” marks a significant turning point in the AI industry. The move underscores a massive shift in frontier model capabilities, as models evolve from generating text to autonomously chaining multiple minor vulnerabilities into sophisticated exploits, requiring a new level of security safeguards before release.