Engineering.
// frameworks · infrastructure · tooling · languages
Dev tools, framework releases, infra
Critical cPanel CVE-2026-41940 enables auth bypass. Patch now.
CVE-2026-41940 in cPanel and WHM allows authentication bypass and remote elevated control. Government and MSP networks are being actively targeted. Patch immediately.
Critical Apache HTTP/2 flaw enables RCE. Patch is 2.4.67.
CVE-2026-23918 is a double-free in Apache HTTP Server's HTTP/2 implementation. RCE is plausible. Upgrade to 2.4.67 or disable HTTP/2 until you can.
Next.js 16 makes Turbopack the default. Migration is mostly free.
Next.js 16 ships Turbopack as the default bundler for dev and prod, replaces middleware with proxy.ts, and introduces a Build Adapters API. Six months in, the migration story is calmer than expected.
React 19.2 batches Suspense reveals. Server-render hydration gets quieter.
React 19.2.6 shipped May 6 with type hardening and a notable behaviour change: server-rendered Suspense boundaries are now batched briefly so content reveals together instead of streaming in piecemeal.
ShinyHunters breached Instructure. Canvas covers 41% of US higher ed.
Criminal extortion group ShinyHunters breached Instructure, owner of Canvas LMS. Canvas covers 41% of higher-ed institutions in North America. The pay-or-leak demand is the largest education-sector breach of 2026.
AI-generated malware bypassing detection. The trend is now measurable.
AI-generated malware is slipping past traditional signature and behaviour detection. The barrier to technically sophisticated attacks dropped materially in 2025-2026. Defensive playbooks need updating.
Microsoft Build 2026 lands June 2-3. Agent infrastructure is the theme.
Build runs June 2-3 with Satya Nadella's keynote opening day one. Foundry IQ, Fabric IQ, and Azure HorizonDB are already announced. The expected Copilot Studio deep-dive will determine whether Microsoft's agent story is real or just demoware.
AWS Bedrock adds Claude Opus 4.7 and GPT-5.5
AWS shipped Claude Opus 4.7 in Bedrock and added GPT-5.5 in limited preview. Bedrock AgentCore added a managed harness, CLI, and skills for coding assistants. The frontier-on-AWS stack is now multi-vendor by default.
Cloudflare ships AI agent sandboxes. Edge compute meets agent runtime.
Cloudflare's Agents Week 2026 shipped Sandboxes — persistent isolated environments with shells, filesystems, and background processes that start in milliseconds. Plus 320 PoPs and a unified inference layer for 14+ model providers.
Postgres 18's async I/O subsystem hits 3x on sequential scans
Postgres 18 introduced an asynchronous I/O subsystem that issues parallel I/O requests instead of waiting on each one. Benchmarks show up to 3x gains on seq scans, bitmap heap scans, and vacuum.
Bun 2-3x ahead of Node on RPS. The runtime question is now serious.
2026 benchmarks put Bun at 30-50K RPS on standard HTTP workloads vs Node's 13-20K. Deno 2 sits in the middle around 22K. With Deno's full Node-compat and Bun's drop-in story, the runtime decision is no longer academic.
TypeScript 6.0 ships as the last JavaScript-based release
TypeScript 6.0 landed March 23 with strict mode on by default, ESM as default module, and ES5 deprecated. Microsoft has confirmed 6.0 is the final JavaScript-based release before the Go-native 7.0 compiler ships.
GitHub Copilot's autonomous agent mode hits GA
Copilot Agent Mode is generally available on VS Code and JetBrains. The agent picks files to edit, runs terminal commands, and iterates on errors without manual intervention. The Coding Agent for PRs ships in parallel.