Hacking Formula 1 🏎, living dangerously with Claude 🦈, non-mandatory code reviews ⛓️‍💥

Devs discovered a vulnerability in the FIA Driver Categorisation portal that allowed them to escalate their privileges to administrator ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

Sign Up |Advertise|View Online TLDR Together With  TLDR Dev 2025-10-24 AI Native DevCon hits Brooklyn Nov 18-19 (Sponsor) Most dev conferences are still pretending AI coding tools are a novelty; most teams are already a few steps beyond. AI Native DevCon is the only conference built entirely around spec-driven development and AI-native workflows. Instead of "intro to agents" talks, you get: Workshops on building MCP servers, testing AI-generated code with Cursor (taught by Cursor's Shrey Shah), and managing agent fleets. Guy Podjarny (Tessl) on scaling spec-driven dev An AI tools cage match. Additional talks by speakers from CrewAI, Snyk, Thoughtworks, and others Can't make it to Brooklyn? Stream the main stage online. Get 50% off with code TLDR. Register here 🧑‍💻 Articles & Tutorials Hacking Formula 1: Accessing Max Verstappen's passport and PII through FIA bugs (5 minute read) Devs discovered a vulnerability in the FIA Driver Categorisation portal that allowed them to escalate their privileges to administrator. This admin access granted them the ability to view sensitive PII, including passports and resumes, of F1 drivers like Max Verstappen. The vulnerability was reported to the FIA, which took the site offline and implemented a fix. 4 Unconventional Ways to Cast in Typescript (8 minute read) This article goes over four unconventional methods to cast between types in TypeScript, showing potential unsoundness in the language's type system. These methods include abusing the `is` operator, using mutation across boundaries, exploiting structural typing, and manipulating `void` type combinations. While TypeScript generally provides good type safety, these techniques can introduce subtle bugs and unsafety. How Memory Maps (mmap) Deliver 25x Faster File Access in Go (5 minute read) Memory maps in Unix allow a file to be mapped into virtual memory, enabling direct reads via pointers instead of slower seek/read operations. Benchmarks in Go show memory maps can be up to 25 times faster than using `ReaderAt` for random lookups and iterations. While writing to memory maps is inefficient due to page faults, they can still be great for read-heavy operations when files are cached. 🧠 Opinions & Advice The price of mandatory code reviews (7 minute read) Based on data from 400+ companies and 3,000+ engineers, this article challenges the mandatory code review practice in software development. The research found that teams without code reviews are 1.9x more productive but produce 2.4x more bugs, while high-quality reviews (though 38% slower) reduce bugs by 61% compared to low-quality ones. Top-performing teams (90th percentile) achieve both speed and quality by being selective about when reviews are needed. What Happened to Apple's Legendary Attention to Detail? (11 minute read) Apple's attention to detail, a hallmark of the brand, has declined in the last 8-10 years. This article points out inconsistent UI design across apps, intrusive permission requests, and the buggy, visually flawed "liquid glass" design as evidence of a decline in user experience. 🚀 Launches & Tools Webinar: Automate change management with Jira Service Management and Bitbucket (Sponsor) Join this upcoming webinar on 10/29 to learn how to overcome common deployment challenges, improve visibility, and ultimately deliver higher-quality releases more efficiently. This webinar will cover Atlassian's unique approach to DevOps, practical implementation tips, and ways to improve collaboration between Dev and Ops with total traceability. Join live Workflow (Website) Workflow is a beta TypeScript framework that simplifies building durable and reliable asynchronous JavaScript applications and AI agents. It allows devs to define workflows and steps with simple directives, handling state management and retries automatically. The framework has built-in observability with traces, logs, and metrics. Introducing PyTorch Monarch (17 minute read) PyTorch Monarch is a distributed programming framework that makes cluster programming easier by treating resources as local, similar to single-machine Python. Monarch organizes resources into meshes, enabling operations on entire clusters with fault handling and separation of control and data planes. It provides distributed tensors that integrate with PyTorch, allowing operations across thousands of GPUs. Web Codegen Scorer (GitHub Repo) Web Codegen Scorer is a tool developed by the Angular team at Google for evaluating the quality of web code generated by LLMs. It focuses on web code quality and allows users to compare models, iterate on prompts, and monitor code quality over time using built-in checks like build success, security, and coding best practices. 🎁 Miscellaneous Living dangerously with Claude (10 minute read) Running coding agents like Claude with unrestricted permissions comes with increased productivity and the ability to outsource tasks, but also makes Claude vulnerable to prompt injection attacks. The safest thing to do is to sandbox coding agents, ideally on external systems with controlled network access, to mitigate these risks. Programming With Less Than Nothing (9 minute read) An interviewer asks a candidate to solve FizzBuzz, and the candidate responds by attempting to implement the entire problem using combinatory logic in JavaScript. The interviewer is initially skeptical, recognizing the approach as an exercise in reinventing programming primitives from lambda calculus. The candidate then constructs numbers, lists, and string manipulation functions using combinators, eventually producing the desired FizzBuzz output. ⚡ Quick Links Tyler Tries DTrace (8 minute read) This dev explored Node.js backpressure by modifying a Node.js build to disable it, using DTrace to measure garbage collection times, and found that disabling backpressure greatly increases garbage collection effort. When You Get to Be Smart Writing a Macro (4 minute read) This dev improved their debugging tool, `hashp` (a better `println`), to work seamlessly within Clojure's thread-first (`->`) and thread-last (`->>`) macros by using a clever probe technique that dynamically detects the macro's context. Why /dev/null Is an ACID Compliant Database (1 minute read) Technically, `/dev/null` is an ACID-compliant database due to its atomic, consistent, isolated, and durable behavior, despite offering 0 bytes of storage. Surf (GitHub Repo) Surf is an open-source, local-first AI notebook that helps users research and synthesize information from various media types by integrating files and web resources directly into a streamlined workflow. Love TLDR? Tell your friends and get rewards! Share your referral link below with friends to get free TLDR swag! https://refer.tldr.tech/d0af4569/3 Track your referrals here. Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of web developers and engineering decision makers, you may want to advertise with us. Want to work at TLDR? 💼 Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them! If you have any comments or feedback, just respond to this email! Thanks for reading, Priyam Mohanty, Jenny Xu & Ceora Ford Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Dev isn't for you, please unsubscribe.