David Mytton
@davidmytton.social
Building the security platform that ships with your code at http://arcjet.com. Writing the http://console.dev devtools newsletter.
Capability-based sandboxing in Wasm can lock down the external communication leg of @simonwillison.net's AI lethal trifecta.
Private data via APIs + user prompt (untrusted content) + no fetch capability.
This is what Microsoft is going for with Wassette
opensource.microsoft.com/blog/2025/08...
Private data via APIs + user prompt (untrusted content) + no fetch capability.
This is what Microsoft is going for with Wassette
opensource.microsoft.com/blog/2025/08...
August 12, 2025 at 10:23 AM
Capability-based sandboxing in Wasm can lock down the external communication leg of @simonwillison.net's AI lethal trifecta.
Private data via APIs + user prompt (untrusted content) + no fetch capability.
This is what Microsoft is going for with Wassette
opensource.microsoft.com/blog/2025/08...
Private data via APIs + user prompt (untrusted content) + no fetch capability.
This is what Microsoft is going for with Wassette
opensource.microsoft.com/blog/2025/08...
Reposted by David Mytton
The State of CSS 2025 survey results are now available:
2025.stateofcss.com/en-US/
Big thanks to @amitsheen.bsky.social, @saron.bsky.social, @miocene.io, @sjoy.lol, @joshwcomeau.com, @kilianvalkhof.com, and all the other contributors!
2025.stateofcss.com/en-US/
Big thanks to @amitsheen.bsky.social, @saron.bsky.social, @miocene.io, @sjoy.lol, @joshwcomeau.com, @kilianvalkhof.com, and all the other contributors!
State of CSS 2025
2025.stateofcss.com
August 10, 2025 at 7:27 AM
The State of CSS 2025 survey results are now available:
2025.stateofcss.com/en-US/
Big thanks to @amitsheen.bsky.social, @saron.bsky.social, @miocene.io, @sjoy.lol, @joshwcomeau.com, @kilianvalkhof.com, and all the other contributors!
2025.stateofcss.com/en-US/
Big thanks to @amitsheen.bsky.social, @saron.bsky.social, @miocene.io, @sjoy.lol, @joshwcomeau.com, @kilianvalkhof.com, and all the other contributors!
Moving to NYC! 🇺🇸 Packing the essentials
August 5, 2025 at 3:25 PM
Moving to NYC! 🇺🇸 Packing the essentials
Reposted by David Mytton
Today's the day!
We're releasing a new major feature of @tanstack.com Form for all adapters that allows you to change the validation mode based on submission.
(For React nerds that's how RHF works OOTB)
No breaking changes, trivial to implement; try it out!
tanstack.com/form/latest/...
We're releasing a new major feature of @tanstack.com Form for all adapters that allows you to change the validation mode based on submission.
(For React nerds that's how RHF works OOTB)
No breaking changes, trivial to implement; try it out!
tanstack.com/form/latest/...
Dynamic Validation | TanStack Form React Docs
In many cases, you want to change the validation rules based depending on the state of the form or other conditions. The most popular example of this is when you want to validate a field differently b...
tanstack.com
August 4, 2025 at 9:46 PM
Today's the day!
We're releasing a new major feature of @tanstack.com Form for all adapters that allows you to change the validation mode based on submission.
(For React nerds that's how RHF works OOTB)
No breaking changes, trivial to implement; try it out!
tanstack.com/form/latest/...
We're releasing a new major feature of @tanstack.com Form for all adapters that allows you to change the validation mode based on submission.
(For React nerds that's how RHF works OOTB)
No breaking changes, trivial to implement; try it out!
tanstack.com/form/latest/...
Reposted by David Mytton
Wow - CNN’s front page is the investigation “Inside North Korea’s effort to infiltrate US companies.”
4 months ago covered this same threat in @pragmaticengineer.com with exactly this AI filter.
If you’re hiring full remote as a tech company, you NEED to expect NK to try and infiltrate
4 months ago covered this same threat in @pragmaticengineer.com with exactly this AI filter.
If you’re hiring full remote as a tech company, you NEED to expect NK to try and infiltrate
August 5, 2025 at 5:14 AM
Wow - CNN’s front page is the investigation “Inside North Korea’s effort to infiltrate US companies.”
4 months ago covered this same threat in @pragmaticengineer.com with exactly this AI filter.
If you’re hiring full remote as a tech company, you NEED to expect NK to try and infiltrate
4 months ago covered this same threat in @pragmaticengineer.com with exactly this AI filter.
If you’re hiring full remote as a tech company, you NEED to expect NK to try and infiltrate
Reposted by David Mytton
🔥 The MacOS Stickies app is so underrated.
- Little floating windows to take notes throughout the day
- Can pin/float on top of whatever you're doing
- Can color-coat to organize thoughts
...Probably hasn't been changed since the 90s, but you can't knock stable software
- Little floating windows to take notes throughout the day
- Can pin/float on top of whatever you're doing
- Can color-coat to organize thoughts
...Probably hasn't been changed since the 90s, but you can't knock stable software
August 5, 2025 at 11:42 AM
🔥 The MacOS Stickies app is so underrated.
- Little floating windows to take notes throughout the day
- Can pin/float on top of whatever you're doing
- Can color-coat to organize thoughts
...Probably hasn't been changed since the 90s, but you can't knock stable software
- Little floating windows to take notes throughout the day
- Can pin/float on top of whatever you're doing
- Can color-coat to organize thoughts
...Probably hasn't been changed since the 90s, but you can't knock stable software
Reviewed github.com/9001/copyparty for the @console.dev newsletter this week. Makes anything a file server with resumable downloads/uploads + web UI.
Also a great example of a super comprehensive README!
Also a great example of a super comprehensive README!
GitHub - 9001/copyparty: Portable file server with accelerated resumable uploads, dedup, WebDAV, FTP, TFTP, zeroconf, media indexer, thumbnails++ all in one file, no deps
Portable file server with accelerated resumable uploads, dedup, WebDAV, FTP, TFTP, zeroconf, media indexer, thumbnails++ all in one file, no deps - 9001/copyparty
github.com
August 3, 2025 at 2:20 PM
Reviewed github.com/9001/copyparty for the @console.dev newsletter this week. Makes anything a file server with resumable downloads/uploads + web UI.
Also a great example of a super comprehensive README!
Also a great example of a super comprehensive README!
So many JS runtimes. Node.js. Edge runtime. Bun. Deno. workerd. At least one of these has already been deprecated, which is an issue if you've built your entire app around its APIs!
August 2, 2025 at 12:53 PM
So many JS runtimes. Node.js. Edge runtime. Bun. Deno. workerd. At least one of these has already been deprecated, which is an issue if you've built your entire app around its APIs!
Reposted by David Mytton
TypeScript 5.9 is now available! 📣
This release brings:
✅ An updated tsc --init
✅ Type-checking for the new 'import defer'
✅ Actual summaries in more DOM APIs
✅ Expandable quick info hovers (✨preview✨)
and more! Read up more on our blog:
devblogs.microsoft.com/typescript/a...
This release brings:
✅ An updated tsc --init
✅ Type-checking for the new 'import defer'
✅ Actual summaries in more DOM APIs
✅ Expandable quick info hovers (✨preview✨)
and more! Read up more on our blog:
devblogs.microsoft.com/typescript/a...
Announcing TypeScript 5.9 - TypeScript
Today we are excited to announce the release of TypeScript 5.9! If you’re not familiar with TypeScript, it’s a language that builds on JavaScript by adding syntax for types. With types, TypeScript mak...
devblogs.microsoft.com
August 1, 2025 at 5:15 PM
TypeScript 5.9 is now available! 📣
This release brings:
✅ An updated tsc --init
✅ Type-checking for the new 'import defer'
✅ Actual summaries in more DOM APIs
✅ Expandable quick info hovers (✨preview✨)
and more! Read up more on our blog:
devblogs.microsoft.com/typescript/a...
This release brings:
✅ An updated tsc --init
✅ Type-checking for the new 'import defer'
✅ Actual summaries in more DOM APIs
✅ Expandable quick info hovers (✨preview✨)
and more! Read up more on our blog:
devblogs.microsoft.com/typescript/a...
Reposted by David Mytton
The S in MCP stands for security
August 2, 2025 at 5:29 AM
The S in MCP stands for security
August 1, 2025 at 11:37 PM
Useful security assumptions for 2025:
- All your personal data has already been "lost"
- A random dependency has been compromised with a malware post-install script
- Your washing machine has a zero day and is now part of a botnet
- All your personal data has already been "lost"
- A random dependency has been compromised with a malware post-install script
- Your washing machine has a zero day and is now part of a botnet
July 31, 2025 at 11:09 PM
Useful security assumptions for 2025:
- All your personal data has already been "lost"
- A random dependency has been compromised with a malware post-install script
- Your washing machine has a zero day and is now part of a botnet
- All your personal data has already been "lost"
- A random dependency has been compromised with a malware post-install script
- Your washing machine has a zero day and is now part of a botnet
That you need to use react-hook-form to do anything more than the most basic form...
The next Next.js
The next Next.js
Three HTTP versions later, forms are still a mess
The last few weeks I've been working on adding an HTTP 1.1 stack to the standard library of Inko as part of this pull request. The work is still ongoing but the initial set of changes will include an…
yorickpeterse.com
July 30, 2025 at 10:51 PM
That you need to use react-hook-form to do anything more than the most basic form...
The next Next.js
The next Next.js
Reposted by David Mytton
With Tom Lehrer's passing, I suppose this is a moment to share the story of the prank he played on the National Security Agency, and how it went undiscovered for nearly 60 years.
July 27, 2025 at 9:01 PM
With Tom Lehrer's passing, I suppose this is a moment to share the story of the prank he played on the National Security Agency, and how it went undiscovered for nearly 60 years.
Reposted by David Mytton
One of the best examples of LLM developer tooling I've heard is from a team that supports software from the 80s-90s. Their only source of documentation is *video interviews* with retired employees. So they feed them into transcription software and get summarized searchable notes out the other end.
June 3, 2025 at 11:20 PM
One of the best examples of LLM developer tooling I've heard is from a team that supports software from the 80s-90s. Their only source of documentation is *video interviews* with retired employees. So they feed them into transcription software and get summarized searchable notes out the other end.
Reposted by David Mytton
Join us at another episode of Tech on the Rocks, this time with @davidmytton.social of Arcjet. We talk about security as code, security in a world of AI and dev tooling.
Check the episode here: https://buff.ly/4ggWGeO
Check the episode here: https://buff.ly/4ggWGeO
December 19, 2024 at 8:48 PM
Join us at another episode of Tech on the Rocks, this time with @davidmytton.social of Arcjet. We talk about security as code, security in a world of AI and dev tooling.
Check the episode here: https://buff.ly/4ggWGeO
Check the episode here: https://buff.ly/4ggWGeO
Reposted by David Mytton
A friend got her (Android) phone stolen and the thieves were able to quickly pivot into her Google account and then bank.
I’ve been wondering how they did that and my best guess is SMS password resets (aka SMS 1FA).
So yeah, SIM PINs (or eSIMs) might help. Also no text body on lock screens.
I’ve been wondering how they did that and my best guess is SMS password resets (aka SMS 1FA).
So yeah, SIM PINs (or eSIMs) might help. Also no text body on lock screens.
Upgraded one of my phones to iOS 18.1 and was puzzled because I found it several times rebooted and SIM-locked (yes, I have PINs on my SIMs). I thought it was a bug but…
turns out there is a new inactivity reboot!¹
Brilliant analysis, "must read"™!
__
¹ naehrdine.blogspot.com/2024/11/reve...
turns out there is a new inactivity reboot!¹
Brilliant analysis, "must read"™!
__
¹ naehrdine.blogspot.com/2024/11/reve...
November 18, 2024 at 8:58 AM
A friend got her (Android) phone stolen and the thieves were able to quickly pivot into her Google account and then bank.
I’ve been wondering how they did that and my best guess is SMS password resets (aka SMS 1FA).
So yeah, SIM PINs (or eSIMs) might help. Also no text body on lock screens.
I’ve been wondering how they did that and my best guess is SMS password resets (aka SMS 1FA).
So yeah, SIM PINs (or eSIMs) might help. Also no text body on lock screens.
Reposted by David Mytton
'AI Engineer' means you build things that contain AI - LLM chains, agents, multi-modal stuff.
So, what is its opposite? What do we call a 'normal' software engineer?
So, what is its opposite? What do we call a 'normal' software engineer?
November 18, 2024 at 9:12 AM
'AI Engineer' means you build things that contain AI - LLM chains, agents, multi-modal stuff.
So, what is its opposite? What do we call a 'normal' software engineer?
So, what is its opposite? What do we call a 'normal' software engineer?
Reposted by David Mytton
Creating an email parser requires combining local part parsing with domain parsing to ensure we validate the syntax against the RFCs...but of course just following the RFC doesn't quite work in the real world!
November 15, 2024 at 10:56 AM
Creating an email parser requires combining local part parsing with domain parsing to ensure we validate the syntax against the RFCs...but of course just following the RFC doesn't quite work in the real world!
Developer <-> security interaction today is pretty negative. After coding, testing, deploying...they get hit from 2 angles:
November 14, 2024 at 7:51 PM
Developer <-> security interaction today is pretty negative. After coding, testing, deploying...they get hit from 2 angles:
Love the minimalism of iCloud Mail on the web especially now it has primary inbox, and dark mode that works properly. Gmail's "dark" theme really is terrible - the web UI is such a mess.
November 12, 2024 at 9:59 AM
Love the minimalism of iCloud Mail on the web especially now it has primary inbox, and dark mode that works properly. Gmail's "dark" theme really is terrible - the web UI is such a mess.
Reposted by David Mytton
The ultimate Next.js SaaS template: next-forge.com
ORM, auth, billing, analytics, website, blog, cron jobs, dark mode, email, testing.
Built with @nextjs.org @vercel.com @prisma.io and a great set of amazing tools
ORM, auth, billing, analytics, website, blog, cron jobs, dark mode, email, testing.
Built with @nextjs.org @vercel.com @prisma.io and a great set of amazing tools
Production-grade Turborepo template for Next.js apps
A monorepo template designed to have everything you need to build your new SaaS app as quick as possible. Authentication, billing, analytics, SEO, database ORM and more — it's all here.
next-forge.com
November 11, 2024 at 1:37 PM
The ultimate Next.js SaaS template: next-forge.com
ORM, auth, billing, analytics, website, blog, cron jobs, dark mode, email, testing.
Built with @nextjs.org @vercel.com @prisma.io and a great set of amazing tools
ORM, auth, billing, analytics, website, blog, cron jobs, dark mode, email, testing.
Built with @nextjs.org @vercel.com @prisma.io and a great set of amazing tools
Go is the best
tried cross compiling in Go for the first time and it’s really amazing how “GOARCH=amd64 GOOS=linux go build” just works immediately
November 8, 2024 at 3:17 PM
Go is the best
🫠
Security advisory from Okta suggesting it was possible to log in to user accounts without the password if the username was longer than 52 characters? 🤯
trust.okta.com/security-adv...
trust.okta.com/security-adv...
Okta AD/LDAP Delegated Authentication - Username Above 52 Characters Security Advisory
trust.okta.com
November 2, 2024 at 12:33 AM
🫠
Reposted by David Mytton
Interesting devtool of the week: rsbuild.dev by @rspack.bsky.social
What we like: Designed as an alternative to Vite and Create React App/Webpack. Compiles TypeScript, Sass, Wasm, JSX. Handles image compression, CSS builds e.g. PostCSS, and type checking. Not tied to a UI framework
What we like: Designed as an alternative to Vite and Create React App/Webpack. Compiles TypeScript, Sass, Wasm, JSX. Handles image compression, CSS builds e.g. PostCSS, and type checking. Not tied to a UI framework
Rsbuild
The Rspack-based build tool
rsbuild.dev
November 1, 2024 at 10:03 PM
Interesting devtool of the week: rsbuild.dev by @rspack.bsky.social
What we like: Designed as an alternative to Vite and Create React App/Webpack. Compiles TypeScript, Sass, Wasm, JSX. Handles image compression, CSS builds e.g. PostCSS, and type checking. Not tied to a UI framework
What we like: Designed as an alternative to Vite and Create React App/Webpack. Compiles TypeScript, Sass, Wasm, JSX. Handles image compression, CSS builds e.g. PostCSS, and type checking. Not tied to a UI framework