Simon Willison — Week of 2026-04-04 to 2026-04-10#

Highlight of the Week#

Anthropic’s decision to delay the general release of their highly capable Claude Mythos model under “Project Glasswing” marks a significant turning point in the AI industry. The move underscores a massive shift in frontier model capabilities, as models evolve from generating text to autonomously chaining multiple minor vulnerabilities into sophisticated exploits, requiring a new level of security safeguards before release.

Hacker News — Week of 2026-04-17 to 2026-05-01#

Story of the Week#

The systemic reckoning of GitHub is the most consequential story this week, driven by a perfect storm of architectural vulnerabilities and platform rot. Wiz Research dropped a terrifying remote code execution vulnerability (CVE-2026-3854) triggered by a single git push, highlighting the severe dangers of multi-service pipelines blindly trusting unsanitized delimiters. Combined with the platform admitting to being DDOSed by autonomous AI agents, migrating Copilot to usage-based billing, and heavyweights like Mitchell Hashimoto abandoning the platform due to relentless Action outages, the engineering community is suddenly questioning the systemic risk of relying on a single, centralized forge.

Engineering Reads — Week of 2026-05-07 to 2026-05-15#

Week in Review#

This week’s engineering discourse reflects a mature industry grappling with system boundaries and human intent. From constraining unpredictable AI integrations into strictly bounded functional workflows to leveraging organizational psychology to structure open-source compiler architecture, practitioners are aggressively reclaiming control over non-determinism. We are seeing a distinct pushback against buzzword-driven hype in favor of operational stability, rigorous domain modeling, and trusting native web standards over heavyweight abstractions.

Simon Willison — 2026-04-04#

Highlight#

Simon highlights a staggering growth in developer activity on GitHub, pointing to massive recent surges in both commit volume and GitHub Actions usage. This brief but potent link post captures the sheer scale of how rapidly AI-assisted programming and automated workflows are accelerating platform activity.

Posts#

[Quoting Kyle Daigle] · Source Simon shares a striking quote from GitHub COO Kyle Daigle that reveals an explosive surge in overall platform activity. Commit rates have jumped to 275 million per week, which is on pace for 14 billion this year compared to just 1 billion total commits in 2025. Additionally, GitHub Actions usage has skyrocketed to 2.1 billion minutes in just the current week alone, up from 1 billion minutes per week in 2025 and 500 million in 2023. This massive scale-up highlights the unprecedented velocity at which code is currently being generated, integrated, and tested across the developer ecosystem.

Simon Willison — 2026-04-09#

Highlight#

Today’s most substantive update is the release of asgi-gzip 0.3, which serves as a great practical reminder of the hidden risks in automated maintenance workflows. A silently failing GitHub Action caused his library to miss a crucial upstream Starlette fix for Server-Sent Events (SSE) compression, which ended up breaking a new Datasette feature in production.

Posts#

[asgi-gzip 0.3] · Source Simon released an update to asgi-gzip after a production deployment of a new Server-Sent Events (SSE) feature for Datasette ran into trouble. The root cause was datasette-gzip incorrectly compressing event/text-stream responses. The library relies on a scheduled GitHub Actions workflow to port updates from Starlette, but the action had stopped running and missed Starlette’s upstream fix for this exact issue. By running the workflow and integrating the fix, both datasette-gzip and asgi-gzip now handle SSE responses correctly.

Hacker News — 2026-04-28#

Top Story#

GitHub is currently experiencing a perfect storm of security, reliability, and community trust issues. Between Wiz Research dropping a terrifying remote code execution vulnerability triggered by a single git push, the platform admitting that autonomous AI agents are DDOSing their infrastructure, and high-profile developers like Mitchell Hashimoto abandoning the platform due to relentless daily outages, the developer community is seriously questioning the systemic risk of relying on a single, centralized forge.

Engineering Reads — 2026-05-11#

The Big Idea#

The most critical insight today is a warning about the tension between chasing investor-driven AI narratives and focusing on core engineering fundamentals like platform stability. Sacrificing reliable infrastructure and clear technical migration paths in favor of buzzword-driven initiatives risks turning solid engineering platforms into fragile feature factories.

Deep Reads#

I’m really frustrated that GitLab is doing layoffs · Xe Iaso · xeiaso.net Xe Iaso offers a sharp critique of GitLab’s recent layoffs, arguing that the company missed a massive strategic window to capitalize on GitHub’s ongoing reliability issues. The author points out a highly pragmatic technical alternative: instead of pivoting to AI to appease investors, GitLab could have focused on system stability and built direct migration tooling to port existing GitHub Actions over to their ecosystem. Iaso also challenges GitLab’s newly stated mandate of achieving “Speed with Quality,” correctly identifying this as a classic engineering tradeoff where a system must usually optimize for one over the other. The specific fear here is that ignoring this tradeoff will degrade the product, turning the organization into a “feature factory” rather than a reliable platform. Engineering leaders and infrastructure engineers should read this as a stark reminder that solid fundamentals, operational stability, and solving immediate user friction often present better strategic opportunities than chasing the current hype cycle.