Computer Science and Programing

Brad Frost introduces 'mouth coding' — a practice of verbally collaborating with an LLM in real time to build websites during live conversations. Using a real-world example of redesigning a small counseling practice's website with his wife, he outlines the key ingredients: live conversation, speech-to-text transcription, solid UI infrastructure, live preview, additional context, and human judgment. He argues this approach democratizes web creation, enables genuine cross-disciplinary collaboration, and is especially valuable for nonprofits and small organizations that lack dedicated web staff. The core thesis is that AI should facilitate human creativity rather than replace it, and mouth coding represents the most participatory, inclusive design process he's experienced in years.

Spring Boot 3.5 reaches end of open-source support on June 30, 2026, but the real risk isn't the migration — it's what happens to CVE reporting afterward. Once a project goes EOL, security researchers stop filing reports against it, maintainers stop triaging, and the CVE pipeline dries up. Vulnerabilities don't disappear; they just stop being recorded. Bad actors exploit this gap by testing CVEs found in supported branches against EOL versions that will never receive patches. Spring Boot 2.7's post-EOL trajectory (e.g., CVE-2024-38807 with no open-source fix) illustrates the pattern. Teams still on 3.5 after June 2026 risk running what the author calls 'zombie dependencies' — technically present, functionally dead from a security standpoint, with scanners showing green while hidden vulnerabilities accumulate. The advice: assess the 3.5-to-4.0 migration scope now, before the silence sets in.

AI is not replacing software engineers wholesale — it's automating routine, execution-level coding tasks. The shift demands developers move from effort-based to impact-based engineering: understanding system architecture, applying clean code principles, debugging complex distributed systems, and taking ownership of outcomes. A five-step roadmap is outlined: strengthen CS fundamentals, build real-world systems with failure handling, master debugging, use AI as a tool rather than a crutch, and establish proof of work through public building and open-source contributions. The core argument is that source code is now a byproduct of thinking, not the primary output.

A veteran software engineer draws parallels between the Extreme Programming movement of the late 1990s and today's generative AI era, arguing that both represent 'rigor relocation' rather than loss of discipline. Just as XP replaced heavyweight processes with tighter feedback loops, and dynamic languages replaced static types with test-enforced correctness, AI-assisted development demands stricter specification of intent and ruthless evaluation of outputs. The core thesis: probabilistic code generation only works when deterministic constraints exist at the edges. Engineers who thrive will treat generation as a capability requiring more precision in specification, not less, and will build evaluation systems that fail loudly when code drifts from intent.

Node.js 24.15.0 'Krypton' LTS has been released with several notable changes: a new --max-heap-size CLI option, require(esm) and module compile cache marked as stable, raw key format support added to KeyObject crypto APIs, a throwIfNoEntry option for fs.stat, HTTP/1 fallback configuration for HTTP/2, setTOS/getTOS added to Socket, SQLite marked as release candidate with a new limits property, C++ support for diagnostics channels, and improvements to the test runner including worker ID exposure and SIGINT handling. The release also includes numerous bug fixes across streams, crypto, HTTP, ESM, and buffer modules, plus dependency updates including npm 11.12.1, SQLite 3.52.0, and updated root certificates.

Raw WebSocket provides a bidirectional pipe with no routing, subscriptions, or message structure. When building a voice call signaling system handling incoming calls, call events, and WebRTC negotiation simultaneously, this becomes a routing problem you must solve yourself. STOMP (Simple Text Oriented Messaging Protocol) adds destinations, subscriptions, and structured frames on top of WebSocket — similar to how HTTP adds structure over TCP. The post walks through a real Android signaling implementation using Ktor and a STOMP client, showing how three independent message streams (public calls, call events, WebRTC) share one WebSocket connection via STOMP subscriptions, with clean destination-based routing on the send side and a parsing layer that needs no routing logic because STOMP already handles delivery.

Astral shares the security practices they use to protect their open source tools (Ruff, uv, ty) from supply chain attacks. Key areas covered include: hardening GitHub Actions CI/CD by banning dangerous triggers like pull_request_target, pinning all actions to commit SHAs, limiting permissions, and isolating secrets in deployment environments. For releases, they use Trusted Publishing to eliminate long-lived credentials, Sigstore-based attestations, immutable releases, and two-person approval gates. They also use GitHub Apps to safely handle tasks that GitHub Actions can't do securely, maintain dependency hygiene with Dependabot/Renovate plus cooldowns, and contribute financially and technically to upstream projects. The post includes shareable GitHub rulesets and practical recommendations for other maintainers.