We hacked Google's AI, Gemini and leaked its source code (at least some part) (21 minute read)
In March, Roni Carta (Lupin) and team disclosed they hacked Google's AI, Gemini, during the 2024 LLM bugSWAT event, winning the Most Valuable Hacker award. They discovered a vulnerability within Gemini's Python sandbox that allowed them to rewrite Python code and map the filesystem, enabling them to extract a 579MB binary file. Analyzing this binary revealed internal source code, including sensitive Google proto files containing metadata descriptions used to classify user data and internal security proto definitions. |
Components Are Just Sparkling Hooks (6 minute read)
Components and hooks are closely related in React. Components are a subtype of hooks since they inherit the Rules of Hooks and must return a ReactNode. By converting a component into a hook, there is more flexibility in managing state and behaviors separately from UI rendering, allowing for patterns like headless components. |
Postmortem on Next.js Middleware bypass (6 minute read)
Vercel has published a postmortem on CVE-2025-29927, a critical vulnerability in Next.js related to Middleware bypass. The timeline outlines the vulnerability's disclosure, investigation, patching, and public announcement. The vulnerability involved an internal `x-middleware-subrequest` header and impacted self-hosted Next.js applications, but not Vercel, Netlify, or Cloudflare Workers. |
|
Karpathy's 'Vibe Coding' Movement Considered Harmful (5 minute read)
Andrej Karpathy's "vibe coding" advocates relying on AI tools without fully understanding the generated code. However, this approach leads to technical debt, security vulnerabilities, and a loss of intellectual ownership over systems. It's better to have a balanced approach of using AI assistance while maintaining engineering quality through architectural vision, focused code generation, thorough review, and comprehensive testing. |
The way we're thinking about breaking changes is really silly (6 minute read)
Compilers currently lack the concept of time, treating code as if it always existed in its current state, which leads to unnecessary breaking changes when dependencies are updated. Instead, we should focus on preserving the behavior of existing code rather than strictly following the old syntax during updates. This means having automatic code migrations, similar to database migrations, that apply transformations to call sites when dependencies are updated. |
|
Json-edit-react (GitHub Repo)
Json-edit-react is a highly configurable React component for editing and viewing JSON/object data, with features like inline editing, granular control over edits, JSON Schema validation, customizable UI, and search/filtering. The component is self-contained with no external UI library dependencies and supports custom components, localization, drag-n-drop reordering, and keyboard customization. |
PG-MCP (GitHub Repo)
PG-MCP is a PostgreSQL Model Context Protocol server for better AI agent interaction with databases. It extends the reference Postgres MCP implementation with features like multi-database support, rich catalog information, extension context, and query explanation. The server has connection management and query tools, along with schema discovery and data access resources. |
|
Why Apple's Severance Gets Edited Over Remote Desktop Software (11 minute read)
Apple's promotional video for "Severance" inadvertently revealed a flawed workflow for professional video editors. The video showed editors using Macs for remote editing via Jump Desktop, a screen-sharing tool. This means that the Mac's local horsepower is not as important as a fast internet connection and a powerful remote server. |
The state of the front-end and full-stack job market (11 minute read)
React and Next.js are highly sought after, along with Javascript and Typescript. AWS is the dominant cloud provider and PostgreSQL remains a popular database. Despite some technologies correlating with higher compensation, there are minimal salary increases with experience. Education beyond a bachelor's degree is rarely required. |
Everyone knows all the apps on your phone (12 minute read)
Indian Android apps have privacy issues as many apps circumvent Google's privacy policies to collect data on installed apps. Swiggy and Zepto were found to have extensive lists of apps they query, while personal loan apps like KreditBee and Moneyview query an excessive number of apps. A significant privacy loophole exists through the "ACTION_MAIN" filter, allowing apps to see all installed apps with a user interface. Zepto's READ_SMS permission request shows how apps access personal data, potentially sharing it with brokers and affecting user pricing. |
|
What to Do (8 minute read)
Creating valuable and original things is necessary, as it's uniquely human to be able to think deeply and clearly, which results in the best products, ideas, companies, and art made. |
Why Is This Site Built With C (9 minute read)
This developer built their website with C to have fast, dependency-free, and long-lasting static site generation using the md4c markdown parser after being frustrated with the complexity and maintenance burden of previous attempts using Django and Nuxt.js. |
|
| Love TLDR? Tell your friends and get rewards! | | Share your referral link below with friends to get free TLDR swag! | | | |
| Track your referrals here. |
| Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of web developers and engineering decision makers, you may want to advertise with us.
Want to work at TLDR? 💼 Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them!
If you have any comments or feedback, just respond to this email! Thanks for reading, Priyam Mohanty, Jenny Xu & Ceora Ford
|
|
| |
0 Comments