Barayuda

VoidZero is joining Cloudflare. Our mission stays the same: to make JavaScript developers more productive than ever before. Vite, Vitest, Rolldown, Oxc, and Vite+ remain MIT-licensed. Evan and the VoidZero team will continue leading them. Cloudflare shares our commitment to open source. Together, we can keep investing in the tooling developers rely on every day, while bringing the Vite ecosystem and Cloudflare’s platform even closer together.

Today we are saying goodbye to Windsurf …and we are transforming it to Devin Desktop Windsurf has been an absolutely amazing experience for me and the team. Though it has been rocky at times, we have seen every phase of AI coding and we want to keep embracing where things are going. That means we need to once again reorient ourselves towards a more focused goal and remove the Windsurf branding. Believe it or not, the Windsurf brand has been around less than a year and a half, and before that, the previous name Codeium was only around a similar timeframe as well. I’ve actually had to change my email every year all the way to the eventual acquisition to Cognition. In AI, most products only have a 1 year lifespan before you need to drastically change it to the next. Devin now encompasses all our form factors, whether it’s the cloud agent, the agent command center (with IDE), CLI, review, or our other products. This way we can really focus our efforts around one name. We are doubling down on our neutrality and making Devin Desktop compatible with other agents via ACP. We may be the only “Switzerland” of AI left and we embrace this role. As for me, I’ll be transitioning from CEO of Windsurf to Cognition’s President of New Enterprise, helping open new regions and verticals, accelerating velocity, and filling in gaps as usual. The story of Windsurf doesn’t end here, it continues on as part of Devin’s journey.

Today we announced Workshop – a solution for launching sandboxed development environments in Ubuntu with a single command. Spend less time on configuring your environment: with just a few lines of YAML, you’ve got a reproducible environment you can use across machines. Find out how it works at: https://t.co/ItDsCVb34O

We’re introducing a new GitHub Certified: Agentic AI Developer (GH-600). As AI agents become part of modern development workflows, this role-based certification focuses on how developers and teams operate, supervise, and integrate agents across the SDLC. If you’re already working with tools like GitHub Copilot or exploring agent-driven workflows, we’d love your input. Learn more and get involved. https://t.co/ruiYtlsYnj

🚨 A junior at Jane Street reportedly landed a $220K–$600K role because he used AI to analyze trillions of data points faster than most teams ever could. In this 1-hour lecture, he breaks down the exact system behind it: • how he researches massive datasets • how AI finds patterns humans miss • how his machine turns raw data into decisions • how you can apply the same thinking yourself Skip Netflix tonight. Watch this instead. One hour could completely change how you think about research, AI, and opportunity.

‼️🚨 BREAKING: An AI found a Linux kernel zero-day that roots every distribution since 2017. The exploit fits in 732 bytes of Python. Patch your kernel ASAP. The vulnerability is CVE-2026-31431, nicknamed "Copy Fail," disclosed today by Theori. It has been sitting quietly in the Linux kernel for nine years. Most Linux privilege-escalation bugs are picky. They need a precise timing window (a "race"), or specific kernel addresses leaked from somewhere, or careful tuning per distribution. Copy Fail needs none of that. It is a straight-line logic mistake that works on the first try, every time, on every mainstream Linux box. The attacker just needs a normal user account on the machine. From there, the script asks the kernel to do some encryption work, abuses how that work is wired up, and ends up writing 4 bytes into a memory area called the "page cache" (Linux's high-speed copy of files in RAM). Those 4 bytes can be aimed at any program the system trusts, like /usr/bin/su, the shortcut to becoming root. Result: the next time anyone runs that program, it lets the attacker in as root. What should worry most: the corruption never touches the file on disk. It only exists in Linux's in-memory copy of that file. If you imaged the hard drive afterwards, the on-disk file would match the official package hash exactly. Reboot the machine, or just put it under memory pressure (any normal system load that needs the RAM), and the cached copy reloads fresh from disk. Containers do not help either. The page cache is shared across the whole host, so a process inside a container can use this bug to compromise the underlying server and reach into other tenants. The original sin was a 2017 "in-place optimization" in a kernel crypto module called algif_aead. It was meant to make encryption slightly faster. The change broke a critical safety assumption, and nobody noticed for nine years. That bug then rode every kernel update from 2017 to today. This vulnerability affects the following: 🔴 Shared servers (dev boxes, jump hosts, build servers): any user becomes root 🔴 Kubernetes and container clusters: one compromised pod escapes to the host 🔴 CI runners (GitHub Actions, GitLab, Jenkins): a malicious pull request becomes root on the runner 🔴 Cloud platforms running user code (notebooks, agent sandboxes, serverless functions): a tenant becomes host root Timeline: 🔴 March 23, 2026: reported to the Linux kernel security team 🔴 April 1: patch committed to mainline (commit a664bf3d603d) 🔴 April 22: CVE assigned 🔴 April 29: public disclosure Mitigation: update your kernel to a build that includes mainline commit a664bf3d603d. If you cannot patch immediately, turn off the vulnerable module: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead 2>/dev/null || true For environments that run untrusted code (containers, sandboxes, CI runners), block access to the kernel's AF_ALG crypto interface entirely, even after patching. Almost nothing legitimate needs it, and blocking it shuts the door on this whole class of bug...