AI エージェントがインタラクティブな UI を返すことを可能にする MCP UI

MCP UI は Model Context Protocol (MCP) を拡張して、AI エージェントがインタラクティブな UI コンポーネントを返すことを可能にする仕組みです。これにより、AI エージェントとのチャットの返答としてグラフや画像ギャラリー、購入フォームなどを表示できます。この記事では MCP UI の SDK を利用して、AI エージェントがインタラクティブな UI コンポーネントを返す方法を試してみます。

Hypothesis is now thread-safe

Hypothesis is a property-based testing library for Python. It lets you write tests like this one: from hypothesis import given, strategies as st @given(st.lists(st.integers())) def test_matches_builtin(ls): assert sorted(ls) == my_sort(ls) …

npm Adopts OIDC for Trusted Publishing in CI/CD Workflows

npm now supports Trusted Publishing with OIDC, enabling secure package publishing directly from CI/CD workflows without relying on long-lived tokens.

How to Prepare for CSS-Specific Interview Questions

Get advice answering a set of 10 CSS-related questions you likely will encounter in front-end interviews.

60 Malicious Ruby Gems Used in Targeted Credential Theft Campaign

A RubyGems malware campaign used 60 malicious packages posing as automation tools to steal credentials from social media and marketing tool users.

I’ve designed AI assistants — Here’s what actually works

Learn how to design AI assistants that are purpose‑driven, user‑focused, and built on trust with reusable UI patterns and clear interactions.

New CNA Scorecard Tool Ranks CVE Data Quality Across the Ecosystem

The CNA Scorecard ranks CVE issuers by data completeness, revealing major gaps in patch info and software identifiers across thousands of vulnerabilit...

2025-08-07のJS: Node.js v22.18.0 (LTS)、TypeScript 5.9、Panda CSS v1

JSer.info #744 - Node.js v22.18.0がリリースされました。

A guide to designing successful product management workshops

Learn how to design product management workshops that drive alignment, decisions, and strategic outcomes instead of just activities.

アニメーションのフレームをテストしない。その理由を解説します。

Malicious npm Packages Target WhatsApp Developers with Remote Kill Switch

Two npm packages masquerading as WhatsApp developer libraries include a kill switch that deletes all files if the phone number isn’t whitelisted.

Tom MacWright: Observable Notebooks 2.0

Observable announced Observable Notebooks 2.0 last week - the latest take on their JavaScript notebook technology, this time with an open file format and a brand new macOS desktop app. …

11 Malicious Go Packages Distribute Obfuscated Remote Payloads

Socket uncovered 11 malicious Go packages using obfuscated loaders to fetch and execute second-stage payloads via C2 domains.

Convert HTML to Design in Figma

Convert HTML to design in Figma instantly. Import websites into fully editable Figma designs and generate on-brand variations with AI.

How Arcjet approaches open source

How we think about open source licensing, releasing open source projects, forks, and contributing upstream.

Bringing Back Parallax With Scroll-Driven CSS Animations

Parallax is a pattern in which different elements of a webpage move at varying speeds as the user scrolls, creating a three-dimensional, layered appearance. It once required JavaScript. Now we have scroll-driven animations in CSS, which is free from the main-thread blocking that can plague JavaScript animations.

Fix over-caching with dynamic IO caching in Next.js 15

Next.js 15 caching overhaul: Fix overcaching with Dynamic IO and the use cache directive.

TC39 Advances 11 Proposals for Math Precision, Binary APIs, and More

TC39 advances 11 JavaScript proposals, with two moving to Stage 4, bringing better math, binary APIs, and more features one step closer to the ECMAScr...

No, AI is not Making Engineers 10x as Productive

Colton Voege on "curing your AI 10x engineer imposter syndrome". There's a lot of rhetoric out there suggesting that if you can't 10x your productivity through tricks like running a …

How to set up and use the Linear MCP server

Learn how to set up and use the Linear MCP server. Fusion supercharges your project management using AI integrations.

Understanding Flame Graphs in Node.js (and How AI Makes Them Easier with N|Solid)

Flame graphs are one of the most powerful tools for understanding performance bottlenecks, but they can also be one of the hardest to read.

Introducing NCM v3: AI-Enhanced Security & Performance for Node.js

Today, we’re proud to introduce NodeSource Certified Modules v3 (NCM v3): a complete rearchitecture of our module scanning and observability engine.

UX analytics changed my career — here’s how it can change yours

Analytics helped me stop guessing and start designing smarter. Here’s how it made me a better UX designer.

How to build autonomous teams that still see the bigger picture

Discover how to keep outcome-driven teams focused on the big picture and prevent siloed thinking that slows product success.

ボックスモデルの要約による簡易 VRT を作ってみた - @mizchi/visc

A Friendly Introduction to SVG

This SVG tutorial by Josh Comeau is fantastic. It's filled with newt interactive illustrations - with a pleasing subtly "click" audio effect as you adjust their sliders - and provides …

ChatGPT agent triggers crawls from Bingbot and Yandex

ChatGPT agent is the recently released (and confusingly named) ChatGPT feature that provides browser automation combined with terminal access as a feature of ChatGPT—replacing their previous Operator research preview which …

ChatGPT agent's user-agent

I was exploring how ChatGPT agent works today. I learned some interesting things about how it exposes its identity through HTTP headers, then made a huge blunder in thinking it …

Thinking Deeply About Theming and Color Naming

Today, I want to discuss a couple of patterns for naming color palettes that the community is using, and how I propose we can improve, so we achieve both flexibility and beauty.

Copilot ChatのAgentモードでCerebrasのQwen3 Coderを使う

GitHub Copilot Chatには「Bring Your Own Key (BYOK)」機能があり、OpenAIやAnthropic、OpenRouter、Groq、 Ollamaなど様々なプロバイダーのモデルを使用できます。 AI language models in VS CodeLearn how to choose between different AI language models and how to use your own language model API key in Visual Studio Code.MicrosoftMicrosoft しかし、私が利用したいCerebrasのAPIサポートはまだ公式には含まれていません。 幸いなことに、Copilot ChatのVS Code拡張機能のソースコードが公開されているため、自分でプロバイダーを追加することができます。今回は、

React Query Selectors, Supercharged

How to get the most out of select, sprinkled with some TypeScript tips.

The ChatGPT sharing dialog demonstrates how difficult it is to design privacy preferences

ChatGPT just removed their “make this chat discoverable” sharing feature, after it turned out a material volume of users had inadvertantly made their private chats available via Google search. Dane …

From Async/Await to Virtual Threads

Armin Ronacher has long been critical of async/await in Python, both for necessitating colored functions and because of the more subtle challenges they introduce like managing back pressure. Armin argued …

次期GPT系モデルかもしれない「Horizon Beta」のコーディング性能を検証する

2025年7月30日、OpenRouter上に「Horizon Alpha」という詳細不明のステルスモデルが登場しました。その後「Horizon Beta」という名前に置き換わりました。このモデルは、OpenAIの次期モデルのテスト用ではないか？と注目を集めています。今回は、このモデルの性能をコーディングタスクで検証しました。 https://openrouter.ai/openrouter/horizon-beta 特徴 * コンテキストウィンドウ: 256K（GPT-4.1の1M、o3/o4-miniの200Kと比較して中規模） * スループット: 126.9 tps（Sonnet 4の64.50 tpsの約2倍。コーディング時に体感で早い） * Reasoning機構: なし 本当にOpenAI系のモデルなのか？ OpenAI系のモデルである可能性が議論されています。過去にもQuasar Alpha/Optimus AlphaがGPT-4.1リリース前に登場した経緯があり、今回も同様のパターンかもしれません。 直系のGPT-5ならコンテキストウィンドウは１M

コーディングのための LLM モデル Qwen3-Coder を試してみた

Alibaba が開発した Qwen3-Coder を使用したコーディングエージェント Qwen Code を試してみた記事です。OpenRouter 経由での認証設定、コードベースの調査、リファクタリング、テストコード生成などの実際の使用例を紹介しています。

Re-label the "Save" button to be "Publish", to better indicate to users the outcomes of their action

Fascinating Wikipedia usability improvement issue from 2016: From feedback we get repeatedly as a development team from interviews, user testing and other solicited and unsolicited avenues, and by inspection from …

Serena MCPはClaude Codeを救うのか？

「Claude Codeがアホになる問題」が勃発している最中、SerenaというMCPサーバーが「Claude Codeのコンテキスト消費を削減し、応答を改善する」という評価でユーザーたちの間で注目されています。 筆者も実際にSerenaを使ってみたところ、確かにコンテキスト効率の改善（入出力トークンの減少を指します）を実感できました。詳しく調べてみると、このツールは非常にユニークな発想で設計されており、一過性の流行として消費されるには惜しいと感じました。 そこで、本記事では、この機能の背景にある技術的な仕組みを詳しく解説したいと思います。実際の検証も交えながら、Serenaのアーキテクチャとその効果を分析していきます。 現在のコーディングエージェントが抱える課題 現在のコーディングエージェントの多くは、コードを単なるテキストファイルとして扱って逐次的な処理をしています。この根本的なアプローチが、制約を生み出しています。 大規模なプロジェクトで作業する際、エージェントは必要な情報を見つけるために膨大なテキストを読み込まなければなりません。関数の定義を探すだけでも、リポジトリ

コーディングエージェントの能力を拡張する Serena を試してみた

LSP を活用してセマンティックなコード検索・編集能力を提供する MCP サーバー Serena の導入・使用方法を紹介。Claude Code でのオンボーディングからリファクタリングまでの実践的な活用例を解説します。

Critical Vulnerability in NestJS Devtools: Localhost RCE via Sandbox Escape

A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE).

Introducing License Overlays: Smarter License Management for Real-World Code

Customize license detection with Socket’s new license overlays: gain control, reduce noise, and handle edge cases with precision.

SvelteKit の remote functions でコンポーネント内で非同期にデータを取得する

SvelteKit の remote functions を使用することで、コンポーネント内で直接非同期にデータを取得したり、サーバーにデータを書き込むことができます。これにより、コンポーネントごとに必要なデータを個別に取得できるようになり、コードの責任の分離が容易になります。remote functions は SvelteKit v2.27 以降で利用可能です。

OXCのASTに詳しいMCPサーバーを作った

特定のcrateで公開されてるstructとenumを列挙する

企業向け Web Bootcamp 2025 開催後記

2025 年 6 月初旬に、副業で Web 技術アドバイザをしている企業の Web チームエンジニア向けに、4 日間の Web Bootcamp を実施した。

Trying out Qwen3 Coder Flash using LM Studio and Open WebUI and LLM

Qwen just released their sixth model(!) for this July called Qwen3-Coder-30B-A3B-Instruct—listed as Qwen3-Coder-Flash in their chat.qwen.ai interface. It’s 30.5B total parameters with 3.3B active at any one time. This means …

Introducing Rust Support in Socket

Socket now supports Rust and Cargo, offering package search for all users and experimental SBOM generation for enterprise projects.

Windsurf vs. Cursor: When to choose the challenger

Explore Windsurf AI’s Cascade agent, IDE integration, pricing, and how it stacks up against Cursor in this hands-on developer-focused comparison.

The attention crisis: How to lead teams in a 40-second world

Learn why attention spans are shrinking and how product managers can foster focus, respect, and better communication at work.

この夏押さえておきたいJavaScriptの文字列操作コレクション

State of HTML 2025 の開始など: Cybozu Frontend Weekly (2025-07-29号)

Announcing Precomputed Reachability Analysis in Socket

Socket’s precomputed reachability slashes false positives by flagging up to 80% of vulnerabilities as irrelevant, with no setup and instant results.

Cursor + Figma MCP Server

Connect Figma directly to Cursor AI with MCP Server. Complete setup guide for design-to-code workflow, plus limitations and better alternatives.

2025-07-31のJS: Nuxt 3.18、Bun v1.2.19、SVG入門

JSer.info #743 - Nuxt 3.18がリリースされました。

Surprises and trends from this year’s Design Tools Survey results

Discover key trends from the Design Tools Survey including AI adoption, Figma’s dominance, and what’s next for UX designers in 2025.

Keeping Article Demos Alive When Third-Party APIs Die

Is there a way to build demos that do not break when the services they rely on fail? How can we ensure educational demos stay available for as long as possible?

The CSS if() function: Conditional styling will never be the same

Explore how the if() function works, see practical examples, and compare it to existing CSS conditional techniques.

opencode + kimi-k2 を動かす

Socket Now Protects the Chrome Extension Ecosystem

Socket is launching experimental protection for Chrome extensions, scanning for malware and risky permissions to prevent silent supply chain attacks.

The Math Is Haunted

A taste of Lean.

Introducing Socket MCP for Claude Desktop

Add secure dependency scanning to Claude Desktop with Socket MCP, a one-click extension that keeps your coding conversations safe from malicious packa...

Test-driven development with AI

Learn how AI transforms test-driven development (TDD) from a time-consuming chore into your secret weapon for building robust and bug-free applications.

Designing AI products that work for both users and the enterprise

Designing AI products isn’t just about users; it’s also about trust. Here’s what I learned about balancing usability with governance in enterprise UX.

Next.js 15.4 is here: What’s new and what to expect

Break down what’s new in 15.4, explore some hidden gems, and take a quick look at what’s ahead with Next.js 16.

My 2.5 year old laptop can write Space Invaders in JavaScript now, using GLM-4.5 Air and MLX

I wrote about the new GLM-4.5 model family yesterday—new open weight (MIT licensed) models from Z.ai in China which their benchmarks claim score highly in coding even against models such …

Build interactive React UIs for LLM outputs using llm-ui

Build smarter React apps with llm-ui. This guide shows how to stream Gemini API output, detect code blocks, and render syntax-highlighted content.

How to manage 20+ stakeholders without losing your mind

Practical strategies to classify, prioritize, and communicate with 20+ stakeholders so product managers can stay aligned and avoid chaos.

モジュールを外から見た振る舞いだけAIレビューさせる smoke-review

Introducing Scala and Kotlin Support in Socket

Socket now supports Scala and Kotlin, bringing AI-powered threat detection to JVM projects with easy manifest generation and fast, accurate scans.

Claude Code + Figma MCP Server

Learn how Figma MCP Server + Claude Code enables AI-powered design-to-code conversion. Setup guide, real limitations, and enterprise alternatives inside.

Why I think v0 is a great prototyping tool for designers

GenUI tools are reshaping UX workflows. See how v0 speeds up design, closes the dev gap, and challenges how we prototype.

How I debug faster with these Chrome DevTools Console features

Improve the old-fashioned debugging JavaScript workflow by effectively using some lesser-known Chrome DevTools console features.

Making a Masonry Layout That Works Today

I went on to figure out how make masonry work today with other browsers. I'm happy to report I've found a way — and, bonus! — that support can be provided with only 66 lines of JavaScript.

The Useless useCallback

Why most memoization is downright useless...

The many, many, many JavaScript runtimes of the last decade

Extraordinary piece of writing by Jamie Birch who spent over a year putting together this comprehensive reference to JavaScript runtimes. It covers everything from Node.js, Deno, Electron, AWS Lambda, Cloudflare …

TIL: Exception.add_note

Neat tip from Danny Roy Greenfeld: Python 3.11 added a .add_note(message: str) method to the BaseException class, which means you can add one or more extra notes to any Python …

Enough AI copilots! We need AI HUDs

Geoffrey Litt compares Copilots - AI assistants that you engage in dialog with and work with you to complete a task - with HUDs, Head-Up Displays, which enhance your working …

How to evaluate vibe coding tools for your enterprise

Enterprise guide to evaluating AI coding tools: two solution types, evaluation criteria, and a 7-step POC framework for teams.

AI + a16z Podcast: Vibe Coding, Security Risks, and the Path to Progress

Socket CEO Feross Aboukhadijeh and a16z partner Joel de la Garza discuss vibe coding, AI-driven software development, and how the rise of LLMs, despit...

Cookie を管理する非同期 API CookieStore

従来の JavaScript では Cookie の管理は `document.cookie` を使用して文字列で行われていました。しかし、文字列での Cookie 管理は面倒で間違いやすいです。また `document.cookie` は同期的に動作するため、Cookie の更新が完了するまでイベントループがブロックされてしまいます。さらに `document` オブジェクトに依存しているため、Web Worker や Service Worker などの非同期環境では使用できません。 このような問題を解決するために、非同期 API `CookieStore` が導入されました。`CookieStore` は非同期的に Cookie の読み書きを行うことができ、さらに Cookie の属性をオブジェクトとして扱うことができます。

How to Discover a CSS Trick

Do we invent or discover CSS tricks? Lee Meyer discusses how creative limitations, recursive thinking, and unexpected combinations lead to his most interesting ideas.

Catch frontend issues before users using chaos engineering

This article covers how frontend chaos engineering helps catch UI and UX issues before users experience them using tools like gremlins.js.

Next.js 15.4リリースなど: Cybozu Frontend Weekly (2025-07-22号)

1Password と遺言保管制度を用いたデジタル終活

筆者のように、インターネット上での生活が長く、かつエンジニアとして生きてきた人間には、一般の人には伝わりにくいデジタルの遺品が多く存在する。仮に自分が死んだ場合に、これらをどのように遺族に処分してもらうかは、なかなか難しい問題だ。筆者はこの「デジタル終活」をどうするかを、長...

Atomic Design Certification Course

Brad Frost introduced the "Atomic Design" concept wayyyy back in 2013. He even wrote a book on it. And we all took notice, because that term has been part of

How a UX redesign increased redemptions by over 58 percent

A broken OTP flow hurt trust and revenue. Here's how UX analytics helped me fix it and why every designer should track impact.

Using GitHub Spark to reverse engineer GitHub Spark

GitHub Spark was released in public preview yesterday. It’s GitHub’s implementation of the prompt-to-app pattern also seen in products like Claude Artifacts, Lovable, Vercel v0, Val Town Townie and Fly.io’s …

Deno 2.4 is here: What’s new and what to expect

Learn about the most impactful changes in Deno 2.4, including the return of a first-party bundler and new spec-aligned ways to handle assets.

Migrating Tanstack Start from Vinxi to Vite

Update your TanStack Start project from Vinxi to a Vite-based setup, including dependency adjustments and configuration file updates.

Why PMs must help architect distribution, not just adapt to it

PMs need to move beyond feature delivery to help shape distribution strategy. Learn how org design can support this shift.

Building Scalable APIs with Node.js and TypeScript

In this post, we’re gonna break down how to build scalable APIs using Node.js and TypeScript without overcomplicating things.

a11y 上の理由で Deprecated になった HTML と ARIA まとめ

I Drank Every Cocktail

Adam Aaronson drank his way through all 102 cocktails on the IBA cocktails list - published by the International Bartenders Association since 1961, with the most recent update in 2024. …

親にエンディングノートを書いてもらう

親の年齢に限らず、生きているうちにやってもらった方がいい、たった 1 つのこととして、エンディングノートの作成がある。終活は、それをどのくらい準備しておくかで、本人以上に遺族の負担が格段に減るからだ。

Toptal’s GitHub Organization Hijacked: 10 Malicious Packages Published

Threat actors hijacked Toptal’s GitHub org, publishing npm packages with malicious payloads that steal tokens and attempt to wipe victim systems.

Introducing OSS Rebuild: Open Source, Rebuilt to Last

Major news on the Reproducible Builds front: the Google Security team have announced OSS Rebuild, their project to provide build attestations for open source packages released through the NPM, PyPI …

Announcing Toad - a universal UI for agentic coding in the terminal

Will McGugan is building his own take on a terminal coding assistant, in the style of Claude Code and Gemini CLI, using his Textual Python library as the display layer. …

1KB JS Numbers Station

Terence Eden built a neat and weird 1023 byte JavaScript demo that simulates a numbers station using the browser SpeechSynthesisUtterance, which I hadn't realized is supported by every modern browser …

Arcjet product philosophy: products & primitives

How do you design a security product for developers when they allegedly don't care about security?

discord から claude-code を操作する(一時的な)サーバーを建てる

Surveillance Malware Hidden in npm and PyPI Packages Targets Developers with Keyloggers, Webcam Capture, and Credential Theft

Socket researchers investigate 4 malicious npm and PyPI packages with 56,000+ downloads that install surveillance malware.

What are the AI-proof skills every frontend developer needs?

The AI freight train shows no signs of slowing down. Seven senior developers discuss how frontend devs can make themselves indispensable in the age of AI.

A First Look at the Interest Invoker API (for Hover-Triggered Popovers)

Chrome 139 is experimenting with Open UI’s proposed Interest Invoker API, which would be used to create tooltips, hover menus, hover cards, quick actions, and other types of UIs for showing more information with hover interactions.

Passkey への道 #10: 1Password 導入セミナー

先日、Passkey 啓蒙の一環で、まだパスワードマネージャを導入してない人に対する「1Password 導入セミナー」を実施した。その内容を再収録したものを公開する。ざっくりと、前半が一般ユーザ、後半が開発者向けの内容となっている。動画及び資料は、啓蒙目的であれば自由に使...

npm ‘is’ Package Hijacked in Expanding Supply Chain Attack

The ongoing npm phishing campaign escalates as attackers hijack the popular 'is' package, embedding malware in multiple versions.

Critical Vulnerability in Popular npm form-data Package Used Across Millions of Installs

A critical flaw in the popular npm form-data package could allow HTTP parameter pollution, affecting millions of projects until patched versions are a...

Convert Figma to Angular Code Using AI

Stop manually converting Figma designs to Angular. Fusion AI generates clean Angular code from Figma files, handles variants, and respects your design system.

Here’s how I’d design a mega menu — with 3 great examples

Designing a mega menu isn’t just about listing links. It’s about helping users move fast, with confidence. These 3 websites show us how it’s done.

Angular has grown up — and the best is yet to come

It’s never been a better time to be an Angular dev. Reflect on the highlights of Angular's evolution from its early days to the v20 release.

5 books that transformed my day-to-day life as a PM

These five books helped me grow as a product manager by improving my mindset, habits, leadership, and decision-making.

`ratatui`と`tokio`で作るTUIの基本

AIコーディングハンズオンの講師をやりました(株式会社DeNA様の事例)

Bun 1.2.19 Adds Isolated Installs for Better Monorepo Support

Bun 1.2.19 introduces isolated installs for smoother monorepo workflows, along with performance boosts, new tooling, and key compatibility fixes.

Textual v4.0.0: The Streaming Release

Will McGugan may no longer be running a commercial company around Textual, but that hasn't stopped his progress on the open source project. He recently released v4 of his Python …

Code review in the AI age

AI hasn't replaced developers; it's promoted them to architects. Learn how to review AI-generated code and use tools that create review-friendly diffs.

Iterator helpers: The most underrated feature in ES2025

Unlock the power of iterator helpers in ES2025 to write memory-efficient, lazy JavaScript pipelines that scale from streams to infinite data.

A Primer on Focus Trapping

Focus trapping is about managing focus within an element, such that focus always stays within it. The whole process sounds simple in theory, but it can quite difficult to build in practice, mostly because of the numerous parts to you got to manage.

2025-07-21のJS: Nuxt 4.0、Next.js 15.4、npmのパッケージメンテナーを狙ったフィッシング

JSer.info #742 - Nuxt 4.0がリリースされました。

Leader Spotlight: Creating an environment of genuine curiosity, with Nora Keller

Nora Keller talks about embracing non-linear paths, trusting the team, and keeping product grounded in real user needs.

Coding with LLMs in the summer of 2025 (an update)

Salvatore Sanfilippo describes his current AI-assisted development workflow. He's all-in on LLMs for code review, exploratory prototyping, pair-design and writing "part of the code under your clear specifications", but warns …

Quoting Armin Ronacher

Every day someone becomes a programmer because they figured out how to make ChatGPT build something. Lucky for us: in many of those cases the AI picks Python. We should …

私のキャリアに影響を与えたコンピューター・IT の定番書籍

現代は知らないことがあればすぐにインターネットで調べたり、AI に質問できる時代です。このような時代において本を読む必要はあるのでしょうか？答えは Yes です。なぜなら、検索をしたり AI に質問をするためには、ある程度の基礎知識が必要だからです。この記事では私のキャリアにおいて影響を与えたであろうコンピューター・IT の定番書籍を紹介します。

Kiroとコンテキストエンジニアリングの時流

Kiro(kiro.dev)は、AWSが開発したIDE型のコーディングエージェントです。CursorやWindsurfのようなVS Codeフォークエディタに分類されます。現在はパブリックプレビュー中で、サインアップするとKiroでClaude Sonnet 3.7 とClaude 4 Sonnetを利用できます。 KiroThe AI IDE for prototype to productionKiro Kiroの特徴は、スペック駆動開発、エージェントフック、ステアリングファイルといった独自の機能を通じて、ソフトウェア開発のライフサイクル全体を支援します。それぞれ見ていきましょう。 スペック (Specs)駆動開発 Kiroの中核をなすのが「スペック＝仕様書」機能です。これは、ユーザーが入力した大まかな指示（例：「ユーザー認証機能を追加して」）をもとに、AIが「要件定義」「設計」「タスクリスト」という3段階のドキュメントを自動で生成するものです。 Markdownファイルが.kiro/specs/${task}/配下にタスク単位で生成されます。

Active Supply Chain Attack: npm Phishing Campaign Leads to Prettier Tooling Packages Compromise

Popular npm packages like eslint-config-prettier were compromised after a phishing attack stole a maintainer’s token, spreading malicious updates.

npm Phishing Email Targets Developers with Typosquatted Domain

A phishing attack targeted developers using a typosquatted npm domain (npnjs.com) to steal credentials via fake login pages - watch out for similar sc...

Knip Hits 500 Releases with v5.62.0, Improving TypeScript Config Detection and Plugin Integrations

Knip hits 500 releases with v5.62.0, refining TypeScript config detection and updating plugins as monthly npm downloads approach 12M.

Getting Creative With Versal Letters

A versal letters is a typographic flourish found in illuminated manuscripts and traditional book design, where it adds visual interest and helps guide a reader’s eye to where they should begin.

Leader Spotlight: Navigating a complete product redesign, with Tyler Stone

Tyler Stone, Associate Director, Product at Sensor Tower, talks through how he’s led Sensor Tower through a complete product redesign.

Cloudflare Workers Tech Talks in Kyoto #1 に行ってきたメモ #workers_tech

Community Showcase (Q2 2025)

An update on what the community has been up to in Q2 of 2025

Open Source Maintainers Feeling the Weight of the EU’s Cyber Resilience Act

The EU Cyber Resilience Act is prompting compliance requests that open source maintainers may not be obligated or equipped to handle.

Scraping and vibe coding a schedule app for Open Sauce 2025 entirely on my phone

This morning, working entirely on my phone, I scraped a conference website and vibe coded up an alternative UI for interacting with the schedule using a combination of OpenAI Codex …

12 UX design examples that show how to stop user errors before they happen

Learn how top products like GitHub, Google Calendar, and Medium prevent user errors with smart UX. Get 12 practical examples to inspire your next design.

How to build better AI apps in React with MediaPipe’s latest APIs

Build an AI-powered object detection app in React using MediaPipe's latest Tasks API, run models in-browser with no backend setup.

Quoting Terence Eden

The modern workforce shouldn't be flinging copies to each other. A copy is outdated the moment it is downloaded. A copy has no protection against illicit reading. A copy can …

Getting Clarity on Apple’s Liquid Glass

Gathered notes on Liquid Glass, Apple’s new design language that was introduced at WWDC 2025. These links are a choice selection of posts and resources that I've found helpful for understanding the context of Liquid Glass, as well as techniques for recreating it in code.

自力で時差計算をしろと言われたら。あるいはDSTによる変換の曖昧性について。

AI won’t fix bad thinking — use it to challenge you instead

AI agrees too easily. That’s a problem. Learn how to prompt it to challenge your thinking and improve your product decisions.

Crates.io Implements Trusted Publishing Support

Crates.io adds Trusted Publishing support, enabling secure GitHub Actions-based crate releases without long-lived API tokens.

Fell in a hole, got out.

This is an absolutely fascinating entrepreneurial war story by Medium CEO Tony Stubblebine, describing how they went from losing $2.6 million per month in 2022 to being monthly profitable since …

How to Get Security Patches for Legacy Unsupported Node.js Versions

unsupported Node.js versions leave your applications vulnerable to security risks, performance issues, and compliance violations.

How to build unified AI interfaces using the Vercel AI SDK

Learn how to use the Vercel AI SDK to build modern, multimodal frontend apps with streaming, function calling, image analysis, voice output, and generative UI.

Shipping WebGPU on Windows in Firefox 141

WebGPU is coming to Mac and Linux soon as well: Although Firefox 141 enables WebGPU only on Windows, we plan to ship WebGPU on Mac and Linux in the coming …

Documenting what you're willing to support (and not)

Devious company culture hack from Rachel Kroll: At some point, I realized that if I wrote a wiki page and documented the things that we were willing to support, I …

How to prep for a software dev interview: Advice from a dev leader

Interviewing for a software engineering role? Hear from a senior dev leader on what he looks for in candidates, and how to prepare yourself.

What I Took From the State of Dev 2025 Survey

State of Devs 2025 survey results are out! Sunkanmi Fafowora highlights a few key results about diversity, health, and salaries.

Unison 言語から、「次」の言語を考察したい

Leader Spotlight: Building an audience-segmented product strategy, with Chrissie Lamond

Chrissie Lamond, VP of Product at Mansueto Ventures, talks about how she builds product experiences across audience segments.

Passkey への道 #9: ユーザに求められる令和のアカウントリテラシ

サービスは、ユーザを守るために Passkey をサポートし、ユーザの移行を促す努力をする必要があった。このプロセスに対して、ユーザはまったくの受動的態度でいることはできない。では、ユーザはいったい何をリテラシとして身につけ、どう自分の身を守っていくべきなのだろうか?

Tracking Protestware Spread: 28 npm Packages Affected by Payload Targeting Russian-Language Users

Undocumented protestware found in 28 npm packages disrupts UI for Russian-language users visiting Russian and Belarusian domains.

What to do when users just want the old version back

Change is tough. Here’s how to help your users adapt when all they want is the old version back.

Next.js real-time video streaming: HLS.js and alternatives

Set up real-time video streaming in Next.js using HLS.js and alternatives, exploring integration, adaptive streaming, and token-based authentication.

AI compliance: A core product competency you shouldn’t skip

AI governance is now a product feature. Learn how to embed trust, transparency, and compliance into your build cycles.

AWS の エージェント IDE Kiro を使ってみた

Kiro は AWS が開発した IDE 内蔵型の AI コーディングエージェントです。Kiro の特徴は単なるバイブコーディングにとどまらず、スペックを使用して仕様駆動開発でアプリケーションを開発できることです。この記事では Kiro を使ったアプリケーション開発の流れを紹介します。

Leader Spotlight: Designing for trust and managing user expectations, with Rachel Bentley

Rachel Bentley shares the importance of companies remaining transparent about reviews and where they’re sourced from to foster user trust.

Passkey への道 #8: サービスにとって「移行」のゴールは何か?

パスワード + TOTP は限界を迎え、Passkey へ移行しなければ、サービスがユーザを守りきれなくなった。逆を言えば、サービスがユーザを守りたいと思うのであれば、Passkey を提供しないわけにはいかない時代に突入している。では、令和のこの状況において、サービスはど...

Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader

North Korean threat actors deploy 67 malicious npm packages using the newly discovered XORIndex malware loader.

A guide to UX documentation: Recording your design process

Documentation may not be your favorite part of the UX design process, but it’s crucial to the success of any design project.

Setting Line Length in CSS (and Fitting Text to a Container)

The many ways to juggle line length when working with text... including two proposed properties that could make it easier in the future.

We’re Moving! NodeSource Distributions Now Have a New Home - With Extended Support

Today, we're announcing a key change to how we serve and support our Node.js binary distributions, and it comes with something new: Extended Support.

Astroで動的なパスの画像を扱う

Leader Spotlight: Scaling an ecommerce business within a broader organization, with Michal Ochnicki

Michal Ochnicki talks about the importance of ensuring that the ecommerce side of a business is complementary to the whole organization.

Passkey への道 #7: そして Username-Less へ

Apple が突如発表した Passkey。実態は「WebAuthn の秘密鍵を iCloud で共有」するサービスだった。そして、業界は本格的な Password-Less に向けて進んでいく。

Happy 20th birthday Django! Here's my talk on Django Origins from Django's 10th

Today is the 20th anniversary of the first commit to the public Django repository! Ten years ago we threw a multi-day 10th birthday party for Django back in its birthtown …

サンドボックス環境を MCP サーバーで提供する Container Use

AI コーディングエージェントは便利ですが、任意の Bash コマンドを実行できるため、ユーザーのシステムに影響を与える可能性があります。Container Use は MCP サーバーとして動作し、AI コーディングエージェントにサンドボックス環境を提供します。この記事では Container Use の利用方法について紹介します。

Passkey への道 #6: タブーを破った Apple

TOTP/WebAuthn は、バックアップコードの適切な保管方法が示されないまま、移行だけが推し進められた。YubiKey などの物理 Authenticator の扱いとして、「二本登録して、片方は普段使い、もう片方は貸金庫へ」などと、かなり無理のあるベストプラクティス...

crates.io: Trusted Publishing

crates.io is the Rust ecosystem's equivalent of PyPI. Inspired by PyPI's GitHub integration (see my TIL, I use this for dozens of my packages now) they've added a similar feature: …

Meet Socket at Black Hat and DEF CON 2025 in Las Vegas

Meet Socket at Black Hat & DEF CON 2025 for 1:1s, insider security talks at Allegiant Stadium, and a private dinner with top minds in software supply ...

2025-07-12のJS: TypeScript 5.9 Beta、i18nとローカライズ、Node.jsのモダンな機能

JSer.info #741 - TypeScript 5.9 Betaがリリースされました。

v0 の SDK を試してみる

v0 は Vercel が開発した AI ベースの Web アプリケーション・UI 生成ツールです。v0 のプラットフォーム API を使用すると、v0 の機能を自身のコードから利用できます。この記事では v0 TypeScript SDK を使用して、v0 のプラットフォーム API を試してみます。

Passkey への道 #5: 2FA/WebAuthn

Infostealer は、ユーザの権限でインストールされ、ユーザがアクセスできるあらゆる情報を盗んで去っていく。そこから、どんなに暗号化して保存しても、使用時には平文にしないといけない「パスワード」という文字列を守り抜くのは非常に難しい。であれば、最初から文字列に頼らなけ...

When is low-code the right choice? Here’s how to decide

Wondering if low-code is right for your next project? This guide breaks down use cases, trade-offs, and a decision framework for developers.

Comparing AI app builders — Firebase Studio vs. Lovable vs. Replit

Compare Firebase Studio, Lovable, and Replit for AI-powered app building. Find the best tool for your project needs.

Scroll-Driven Sticky Heading

I was playing around with scroll-driven animations, just searching for all sorts of random things you could do. That’s when I came up with the idea to animate main headings and, using scroll-driven animations, change the headings based on the user’s scroll position.

GitHub Copilot NESの内部実装が公開、そして続・AIエディタ戦争

Copilot NESとは Copilot NES（Next Edit Suggestions）は2025年2月にリリースされたGitHub Copilotの内部機能です。コードの変更に連動して必要となる次の編集を予測し、タブキーを押しているだけで複数箇所にわたる修正を提案してくれます。通常のコード補完がカーソル位置の続きのコードを予測するのに対して、Copilot NESは「エディタ上の編集操作」の単位で続きを予測して補完します。 GitHub Next | Copilot Next Edit SuggestionsGitHub Next Project: Can we improve Copilot code completion by suggesting the next logical change, wherever it is in your project?GitHub Next この仕組みはCopilot NESの元ネタであるCursor Tab(Copilot++)によって実用化されましたが、Cursorはプロプライエタリなソフトウェアなので内部の詳細が分かり

How I use Claude Code (+ my best tips)

I switched from Cursor's agents to Claude Code weeks ago and I'm not going back. Here's how I use it and my best practical tips

Postgres LISTEN/NOTIFY does not scale

I think this headline is justified. Recall.ai, a provider of meeting transcription bots, noticed that their PostgreSQL instance was being bogged down by heavy concurrent writes. After some spelunking they …

Leader Spotlight: Building an effortlessly personal healthcare experience, with Christina Valls

Christina Valls shares how her teams have transformed digital experiences at Cedars-Sinai, including building a digital scheduling platform.

AI Agentのアウトプットに『Next.jsの考え方』を反映するプラクティス

Passkey への道 #4: 文字列の限界

パスワードと TOTP の問題は、「人間が入力する必要がある」ことだった。対策は Autofill であり、そのためにもパスワードマネージャ相当が必要になる。では、パスワードマネージャを使っていれば、パスワードと TOTP で十分なのだろうか?

Why I don’t trust WCAG 2.2 and what I’m hoping from 3.0

You can follow WCAG 2.2 and still build inaccessible products. Here's what I want from WCAG 3.0.